| 12
 3
 4
 5
 6
 7
 8
 9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 
 | From: Cristy <mikayla-grace@urban-warrior.org>
Date: Mon, 26 Jul 2021 13:08:57 -0400
Subject: heap-based buffer overflow in TIFF coder (alert from Hunter
 Mitchell)
origin:  https://github.com/ImageMagick/ImageMagick6/commit/e1fbcdf3aad96d51db65c1601117396eac665a6d
bug: https://github.com/ImageMagick/ImageMagick6/issues/245
---
 coders/tiff.c | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)
diff --git a/coders/tiff.c b/coders/tiff.c
index 1c84442..8d552fc 100644
--- a/coders/tiff.c
+++ b/coders/tiff.c
@@ -2020,7 +2020,7 @@ static Image *ReadTIFFImage(const ImageInfo *image_info,
               columns_remaining=image->columns-x;
               if ((ssize_t) (x+columns) < (ssize_t) image->columns)
                 columns_remaining=columns;
-              if (TIFFReadTile(tiff,tile_pixels,(uint32) x,(uint32) y,0,i) == 0)
+              if (TIFFReadTile(tiff,tile_pixels,(uint32) x,(uint32) y,0,i) == -1)
                 break;
               p=tile_pixels;
               for (row=0; row < rows_remaining; row++)
@@ -2080,8 +2080,13 @@ static Image *ReadTIFFImage(const ImageInfo *image_info,
         if (generic_info == (MemoryInfo *) NULL)
           ThrowTIFFException(ResourceLimitError,"MemoryAllocationFailed");
         pixels=(uint32 *) GetVirtualMemoryBlob(generic_info);
-        (void) TIFFReadRGBAImage(tiff,(uint32) image->columns,(uint32)
+        status=TIFFReadRGBAImage(tiff,(uint32) image->columns,(uint32)
           image->rows,(uint32 *) pixels,0);
+        if (status == -1)
+          {
+            generic_info=RelinquishVirtualMemory(generic_info);
+            break;
+          }
         p=pixels+(image->columns*image->rows)-1;
         for (y=0; y < (ssize_t) image->rows; y++)
         {
 |