fix heap buffer overflow in tiffcp (#278) (!311) · Merge requests · libtiff / libtiff

4ugustus requested to merge waugustus/libtiff:issue-278 into master Mar 04, 2022

Note that I currently only do bounds checking on out because I don't know how to do bounds checking on in without changing the function parameters. But this fix works for this crash.

To add check for in, we need to do this,

if (row * rowsize + s + spp * imagewidth * nrows > scanlinesize * imagelength)

where scanlinesize is assigned in tiffcp.c:1408,

scanlinesize = TIFFRasterScanlineSize(in);

But in (or named tif) is not accessible in writeBufferToSeparateStrips, so I have no idea how to check for this.

By the way, after testing with multiple files, I found that stripsize and scanlinesize always seem to be equal. If so, it will be easy to add bounds checking on in as this,

if (row * rowsize + s + spp * imagewidth * nrows > stripsize * imagelength)

Edited Mar 07, 2022 by 4ugustus

fix heap buffer overflow in tiffcp (#278)

Merge request reports