52 lines
1.9 KiB
Diff
52 lines
1.9 KiB
Diff
From 8c951535e8551e314a66cdff01b83f055a204e8c Mon Sep 17 00:00:00 2001
|
|
From: Su Laus <sulau@freenet.de>
|
|
Date: Wed, 11 Jun 2025 19:45:19 +0000
|
|
Subject: [PATCH] tif_getimage.c: Fix buffer underflow crash for less raster
|
|
rows at TIFFReadRGBAImageOriented()
|
|
|
|
---
|
|
libtiff/tif_getimage.c | 20 +++++++++++++++++---
|
|
1 file changed, 17 insertions(+), 3 deletions(-)
|
|
|
|
diff --git a/libtiff/tif_getimage.c b/libtiff/tif_getimage.c
|
|
index 41f7dfd..9e94353 100644
|
|
--- a/libtiff/tif_getimage.c
|
|
+++ b/libtiff/tif_getimage.c
|
|
@@ -600,6 +600,22 @@ int TIFFRGBAImageGet(TIFFRGBAImage *img, uint32_t *raster, uint32_t w,
|
|
"No \"put\" routine setupl; probably can not handle image format");
|
|
return (0);
|
|
}
|
|
+ /* Verify raster width and height against image width and height. */
|
|
+ if (h > img->height)
|
|
+ {
|
|
+ /* Adapt parameters to read only available lines and put image at
|
|
+ * the bottom of the raster. */
|
|
+ raster += (size_t)(h - img->height) * w;
|
|
+ h = img->height;
|
|
+ }
|
|
+ if (w > img->width)
|
|
+ {
|
|
+ TIFFWarningExtR(img->tif, TIFFFileName(img->tif),
|
|
+ "Raster width of %d shall not be larger than image "
|
|
+ "width of %d -> raster width adapted for reading",
|
|
+ w, img->width);
|
|
+ w = img->width;
|
|
+ }
|
|
return (*img->get)(img, raster, w, h);
|
|
}
|
|
|
|
@@ -617,9 +633,7 @@ int TIFFReadRGBAImageOriented(TIFF *tif, uint32_t rwidth, uint32_t rheight,
|
|
if (TIFFRGBAImageOK(tif, emsg) && TIFFRGBAImageBegin(&img, tif, stop, emsg))
|
|
{
|
|
img.req_orientation = (uint16_t)orientation;
|
|
- /* XXX verify rwidth and rheight against width and height */
|
|
- ok = TIFFRGBAImageGet(&img, raster + (rheight - img.height) * rwidth,
|
|
- rwidth, img.height);
|
|
+ ok = TIFFRGBAImageGet(&img, raster, rwidth, rheight);
|
|
TIFFRGBAImageEnd(&img);
|
|
}
|
|
else
|
|
--
|
|
2.47.3
|
|
|