Skip to content

JBIG: fix potential out-of-bounds write in JBIGDecode()

Even Rouault requested to merge rouault/libtiff:jbig_decode_overflow into master

JBIGDecode doesn't check if the user provided buffer is large enough to store the JBIG decoded image, which can potentially cause out-of-bounds write in the buffer. This issue was reported and analyzed by Thomas Dullien.

Also fixes a (harmless) potential use of uninitialized memory when tif->tif_rawsize > tif->tif_rawcc

And in case libtiff is compiled with CHUNKY_STRIP_READ_SUPPORT, make sure that whole strip data is provided to JBIGDecode()

Edited by Even Rouault

Merge request reports