Skip to content

fix heap buffer overflow in tiffcp (#278)

4ugustus requested to merge waugustus/libtiff:issue-278 into master

fix #278 (closed).

Note that I currently only do bounds checking on out because I don't know how to do bounds checking on in without changing the function parameters. But this fix works for this crash.

To add check for in, we need to do this,

if (row * rowsize + s + spp * imagewidth * nrows > scanlinesize * imagelength)

where scanlinesize is assigned in tiffcp.c:1408,

scanlinesize = TIFFRasterScanlineSize(in);

But in (or named tif) is not accessible in writeBufferToSeparateStrips, so I have no idea how to check for this.

By the way, after testing with multiple files, I found that stripsize and scanlinesize always seem to be equal. If so, it will be easy to add bounds checking on in as this,

if (row * rowsize + s + spp * imagewidth * nrows > stripsize * imagelength)
Edited by 4ugustus

Merge request reports