1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48
|
From 58a898cb4459055bb488ca815c23b880c242a27d Mon Sep 17 00:00:00 2001
From: Even Rouault <even.rouault@spatialys.com>
Date: Sat, 12 May 2018 15:32:31 +0200
Subject: [PATCH] LZWDecodeCompat(): fix potential index-out-of-bounds write. Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2780 / CVE-2018-8905
The fix consists in using the similar code LZWDecode() to validate we
don't write outside of the output buffer.
libtiff/tif_lzw.c | 17 ++++++++++++-----
1 file changed, 12 insertions(+), 5 deletions(-)
Index: tiff-4.0.8/libtiff/tif_lzw.c
===================================================================
--- tiff-4.0.8.orig/libtiff/tif_lzw.c 2018-10-28 12:59:52.864935922 +0100
+++ tiff-4.0.8/libtiff/tif_lzw.c 2018-10-28 13:01:50.136932407 +0100
@@ -603,6 +603,7 @@
char *tp;
unsigned char *bp;
int code, nbits;
+ int len;
long nextbits, nextdata, nbitsmask;
code_t *codep, *free_entp, *maxcodep, *oldcodep;
@@ -751,13 +752,18 @@
} while (--occ);
break;
}
- assert(occ >= codep->length);
- op += codep->length;
- occ -= codep->length;
- tp = op;
+ len = codep->length;
+ tp = op + len;
do {
- *--tp = codep->value;
- } while( (codep = codep->next) != NULL );
+ int t;
+ --tp;
+ t = codep->value;
+ codep = codep->next;
+ *tp = (char)t;
+ } while (codep && tp > op);
+ assert(occ >= len);
+ op += len;
+ occ -= len;
} else {
*op++ = (char)code;
occ--;
|