52 lines
1.9 KiB
Diff
52 lines
1.9 KiB
Diff
From 0464ac4b3a332e91b3f10962087f53f0e969ac6a Mon Sep 17 00:00:00 2001
|
|
From: Su Laus <sulau@freenet.de>
|
|
Date: Wed, 11 Jun 2025 19:45:19 +0000
|
|
Subject: [PATCH] tif_getimage.c: Fix buffer underflow crash for less raster
|
|
rows at TIFFReadRGBAImageOriented()
|
|
|
|
---
|
|
libtiff/tif_getimage.c | 20 +++++++++++++++++---
|
|
1 file changed, 17 insertions(+), 3 deletions(-)
|
|
|
|
diff --git a/libtiff/tif_getimage.c b/libtiff/tif_getimage.c
|
|
index 2eb4672..d243dda 100644
|
|
--- a/libtiff/tif_getimage.c
|
|
+++ b/libtiff/tif_getimage.c
|
|
@@ -509,6 +509,22 @@ TIFFRGBAImageGet(TIFFRGBAImage* img, uint32_t* raster, uint32_t w, uint32_t h)
|
|
"No \"put\" routine setupl; probably can not handle image format");
|
|
return (0);
|
|
}
|
|
+ /* Verify raster width and height against image width and height. */
|
|
+ if (h > img->height)
|
|
+ {
|
|
+ /* Adapt parameters to read only available lines and put image at
|
|
+ * the bottom of the raster. */
|
|
+ raster += (size_t)(h - img->height) * w;
|
|
+ h = img->height;
|
|
+ }
|
|
+ if (w > img->width)
|
|
+ {
|
|
+ TIFFWarningExt(img->tif->tif_clientdata, TIFFFileName(img->tif),
|
|
+ "Raster width of %d shall not be larger than image "
|
|
+ "width of %d -> raster width adapted for reading",
|
|
+ w, img->width);
|
|
+ w = img->width;
|
|
+ }
|
|
return (*img->get)(img, raster, w, h);
|
|
}
|
|
|
|
@@ -527,9 +543,7 @@ TIFFReadRGBAImageOriented(TIFF* tif,
|
|
|
|
if (TIFFRGBAImageOK(tif, emsg) && TIFFRGBAImageBegin(&img, tif, stop, emsg)) {
|
|
img.req_orientation = (uint16_t)orientation;
|
|
- /* XXX verify rwidth and rheight against width and height */
|
|
- ok = TIFFRGBAImageGet(&img, raster+(rheight-img.height)*rwidth,
|
|
- rwidth, img.height);
|
|
+ ok = TIFFRGBAImageGet(&img, raster, rwidth, rheight);
|
|
TIFFRGBAImageEnd(&img);
|
|
} else {
|
|
TIFFErrorExt(tif->tif_clientdata, TIFFFileName(tif), "%s", emsg);
|
|
--
|
|
2.47.3
|
|
|