TIFFReadRGBAImage leads to FPE
I found a strange case where libtiff does not check for FPE in `TIFFReadRGBAImage`.
Here is a simple example and the image as an attachment.
#include <tiffio.h>
#include <string.h>
#include <stdlib.h>
#include <stdio.h>
#include <time.h>
#include <stdint.h>
int main(int argc, char** argv) {
__uint32_t w = 0x5a158d1;
__uint32_t h = 0x1;
uint32_t *raster = (uint32_t*)malloc(w*h);
TIFF *atiff = nullptr;
char *file_path = "image.tiff";
atiff = TIFFOpen(file_path, "w");
if (atiff == 0)
return 1;
TIFFCheckpointDirectory(atiff);
TIFFReadRGBAImage(atiff, w, h, raster, 0x1);
printf("end\n");
free(raster);
TIFFClose(atiff);
return 0;
}
This triggers an FPE in the macro
TIFFhowmany_32_maxuint_compat(td->td_imagelength, rowsperstrip);
it processes two zero values, i.e., td->td_imagelength
and rowsperstrip
. (line https://gitlab.com/libtiff/libtiff/-/blob/master/libtiff/tif_read.c?ref_type=heads#L499)
The problem does not appear if TIFFCheckpointDirectory(atiff);
is omitted.
Besides the intended behavior of the library, We could avoid FPE if TIFFhowmany_32_maxuint_compat
is guarded for division over zeros.