37 lines
1.2 KiB
Diff
37 lines
1.2 KiB
Diff
From af4ee2276bfb9cfdd1809326604ead5a405735be Mon Sep 17 00:00:00 2001
|
|
From: =?UTF-8?q?Matej=20Mu=C5=BEila?= <mmuzila@redhat.com>
|
|
Date: Thu, 8 Jun 2023 14:10:59 +0200
|
|
Subject: [PATCH] (CVE-2023-2731) LZWDecode(): avoid crash when trying to read
|
|
again from a strip whith a missing end-of-information marker (fixes #548)
|
|
|
|
(cherry picked from commit 9be22b639ea69e102d3847dca4c53ef025e9527b)
|
|
---
|
|
libtiff/tif_lzw.c | 7 ++++++-
|
|
1 file changed, 6 insertions(+), 1 deletion(-)
|
|
|
|
diff --git a/libtiff/tif_lzw.c b/libtiff/tif_lzw.c
|
|
index 096824d2..2ba6237e 100644
|
|
--- a/libtiff/tif_lzw.c
|
|
+++ b/libtiff/tif_lzw.c
|
|
@@ -404,7 +404,11 @@ LZWDecode(TIFF* tif, uint8_t* op0, tmsize_t occ0, uint16_t s)
|
|
assert(sp->dec_codetab != NULL);
|
|
|
|
if (sp->read_error) {
|
|
- return 0;
|
|
+ TIFFErrorExt(tif->tif_clientdata, module,
|
|
+ "LZWDecode: Scanline %" PRIu32 " cannot be read due to "
|
|
+ "previous error",
|
|
+ tif->tif_row);
|
|
+ return 0;
|
|
}
|
|
|
|
/*
|
|
@@ -705,6 +709,7 @@ after_loop:
|
|
return (1);
|
|
|
|
no_eoi:
|
|
+ sp->read_error = 1;
|
|
TIFFErrorExt(tif->tif_clientdata, module,
|
|
"LZWDecode: Strip %"PRIu32" not terminated with EOI code",
|
|
tif->tif_curstrip);
|