d7ae47f0c6
processCropSelections in tools/tiffcrop.c in LibTIFF through 4.5.0 has a heap-based buffer overflow (e.g., "WRITE of size 307203") via a crafted TIFF image. Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com> Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
29 lines
982 B
Diff
29 lines
982 B
Diff
From 97d65859bc29ee334012e9c73022d8a8e55ed586 Mon Sep 17 00:00:00 2001
|
|
From: Su Laus <sulau@freenet.de>
|
|
Date: Sat, 21 Jan 2023 15:58:10 +0000
|
|
Subject: [PATCH] tiffcrop: Correct simple copy paste error. Fix #488.
|
|
|
|
[Retrieved from:
|
|
https://gitlab.com/libtiff/libtiff/-/commit/97d65859bc29ee334012e9c73022d8a8e55ed586]
|
|
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
|
|
---
|
|
tools/tiffcrop.c | 2 +-
|
|
1 file changed, 1 insertion(+), 1 deletion(-)
|
|
|
|
diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c
|
|
index 14fa18da..7db69883 100644
|
|
--- a/tools/tiffcrop.c
|
|
+++ b/tools/tiffcrop.c
|
|
@@ -8591,7 +8591,7 @@ static int processCropSelections(struct image_data *image,
|
|
cropsize + NUM_BUFF_OVERSIZE_BYTES);
|
|
else
|
|
{
|
|
- prev_cropsize = seg_buffs[0].size;
|
|
+ prev_cropsize = seg_buffs[i].size;
|
|
if (prev_cropsize < cropsize)
|
|
{
|
|
next_buff = _TIFFrealloc(
|
|
--
|
|
GitLab
|
|
|