From 3efee94e19cdcb5c3b7a3ec399f8e10408bfb3c7 Mon Sep 17 00:00:00 2001 From: John Cupitt Date: Thu, 21 Jul 2016 07:40:33 +0100 Subject: [PATCH] fix possible out of bounds read in tiff2vips reading a malformed tiff file from a buffer could trigger out of bounds read thanks Matt Richards --- ChangeLog | 1 + libvips/foreign/tiff2vips.c | 15 +++++++++++++-- 2 files changed, 14 insertions(+), 2 deletions(-) diff --git a/ChangeLog b/ChangeLog index 600f20f9..d7981499 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,5 +1,6 @@ 18/5/16 started 8.3.2 - more robust vips image reading +- more robust tiff read [Matt Richards] 15/4/16 started 8.3.1 - rename vips wrapper script, it was still vips-8.2, thanks Benjamin diff --git a/libvips/foreign/tiff2vips.c b/libvips/foreign/tiff2vips.c index 1c58bd61..2c2bf39c 100644 --- a/libvips/foreign/tiff2vips.c +++ b/libvips/foreign/tiff2vips.c @@ -1832,9 +1832,17 @@ my_tiff_read( thandle_t st, tdata_t buffer, tsize_t size ) { ReadTiff *rtiff = (ReadTiff *) st; - size_t available = rtiff->len - rtiff->pos; - size_t copy = VIPS_MIN( size, available ); + size_t available; + size_t copy; + if( rtiff->pos > rtiff->len ) { + vips_error( "tiff2vips", + "%s", _( "read beyond end of buffer" ) ); + return( 0 ); + } + + available = rtiff->len - rtiff->pos; + copy = VIPS_MIN( size, available ); memcpy( buffer, (unsigned char *) rtiff->buf + rtiff->pos, copy ); rtiff->pos += copy; @@ -1855,6 +1863,9 @@ my_tiff_close( thandle_t st ) return 0; } +/* After calling this, ->pos is not bound by the size of the buffer, it can + * have any positive value. + */ static toff_t my_tiff_seek( thandle_t st, toff_t pos, int whence ) {