Skip to content

Commit cbdce6c

Browse files
wiredfoolradarhere
wiredfool
authored and
radarhere
committed
* Invalid tile boundaries lead to OOB Read in TiffDecode.c, in TiffReadRGBATile * Check the tile validity before attempting to read.
1 parent 86f02f7 commit cbdce6c

File tree

3 files changed

+10
-0
lines changed

3 files changed

+10
-0
lines changed

Tests/images/crash-63b1dffefc8c075ddc606c0a2f5fdc15ece78863.tif

3.64 KB
Binary file not shown.

Tests/test_tiff_crashes.py

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -32,6 +32,7 @@
3232
"Tests/images/crash-4f085cc12ece8cde18758d42608bed6a2a2cfb1c.tif",
3333
"Tests/images/crash-86214e58da443d2b80820cff9677a38a33dcbbca.tif",
3434
"Tests/images/crash-f46f5b2f43c370fe65706c11449f567ecc345e74.tif",
35+
"Tests/images/crash-63b1dffefc8c075ddc606c0a2f5fdc15ece78863.tif",
3536
],
3637
)
3738
@pytest.mark.filterwarnings("ignore:Possibly corrupt EXIF data")

src/libImaging/TiffDecode.c

Lines changed: 9 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -562,6 +562,15 @@ ImagingLibTiffDecode(
562562

563563
for (y = state->yoff; y < state->ysize; y += tile_length) {
564564
for (x = state->xoff; x < state->xsize; x += tile_width) {
565+
/* Sanity Check. Apparently in some cases, the TiffReadRGBA* functions
566+
have a different view of the size of the tiff than we're getting from
567+
other functions. So, we need to check here.
568+
*/
569+
if (!TIFFCheckTile(tiff, x, y, 0, 0)) {
570+
TRACE(("Check Tile Error, Tile at %dx%d\n", x, y));
571+
state->errcode = IMAGING_CODEC_BROKEN;
572+
goto decode_err;
573+
}
565574
if (isYCbCr) {
566575
/* To avoid dealing with YCbCr subsampling, let libtiff handle it */
567576
if (!TIFFReadRGBATile(tiff, x, y, (UINT32 *)state->buffer)) {

0 commit comments

Comments
 (0)