Verified Commit 58a898cb authored by Even Rouault's avatar Even Rouault

LZWDecodeCompat(): fix potential index-out-of-bounds write. Fixes...

LZWDecodeCompat(): fix potential index-out-of-bounds write. Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2780 / CVE-2018-8905

The fix consists in using the similar code LZWDecode() to validate we
don't write outside of the output buffer.
parent b68fc85f
Pipeline #21916018 passed with stages
in 3 minutes and 50 seconds
......@@ -602,6 +602,7 @@ LZWDecodeCompat(TIFF* tif, uint8* op0, tmsize_t occ0, uint16 s)
char *tp;
unsigned char *bp;
int code, nbits;
int len;
long nextbits, nextdata, nbitsmask;
code_t *codep, *free_entp, *maxcodep, *oldcodep;
......@@ -753,13 +754,18 @@ LZWDecodeCompat(TIFF* tif, uint8* op0, tmsize_t occ0, uint16 s)
} while (--occ);
break;
}
assert(occ >= codep->length);
op += codep->length;
occ -= codep->length;
tp = op;
len = codep->length;
tp = op + len;
do {
*--tp = codep->value;
} while( (codep = codep->next) != NULL );
int t;
--tp;
t = codep->value;
codep = codep->next;
*tp = (char)t;
} while (codep && tp > op);
assert(occ >= len);
op += len;
occ -= len;
} else {
*op++ = (char)code;
occ--;
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment