From 66e7bd59520996740e4df5495a830b42fae48bc4 Mon Sep 17 00:00:00 2001 From: erouault Date: Wed, 11 Jan 2017 16:33:34 +0000 Subject: [PATCH] * libtiff/tif_read.c: avoid potential undefined behaviour on signed integer addition in TIFFReadRawStrip1() in isMapped() case. Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2650 Fixes CVE-2017-7602 Signed-off-by: Peter Korsgaard --- libtiff/tif_read.c | 27 ++++++++++++++++++--------- 1 file changed, 24 insertions(+), 9 deletions(-) diff --git a/libtiff/tif_read.c b/libtiff/tif_read.c index 52bbf507..b7aacbda 100644 --- a/libtiff/tif_read.c +++ b/libtiff/tif_read.c @@ -420,16 +420,25 @@ TIFFReadRawStrip1(TIFF* tif, uint32 strip, void* buf, tmsize_t size, return ((tmsize_t)(-1)); } } else { - tmsize_t ma,mb; + tmsize_t ma; tmsize_t n; - ma=(tmsize_t)td->td_stripoffset[strip]; - mb=ma+size; - if ((td->td_stripoffset[strip] > (uint64)TIFF_TMSIZE_T_MAX)||(ma>tif->tif_size)) - n=0; - else if ((mbtif->tif_size)) - n=tif->tif_size-ma; - else - n=size; + if ((td->td_stripoffset[strip] > (uint64)TIFF_TMSIZE_T_MAX)|| + ((ma=(tmsize_t)td->td_stripoffset[strip])>tif->tif_size)) + { + n=0; + } + else if( ma > TIFF_TMSIZE_T_MAX - size ) + { + n=0; + } + else + { + tmsize_t mb=ma+size; + if (mb>tif->tif_size) + n=tif->tif_size-ma; + else + n=size; + } if (n!=size) { #if defined(__WIN32__) && (defined(_MSC_VER) || defined(__MINGW32__)) TIFFErrorExt(tif->tif_clientdata, module, -- 2.11.0