47 lines
1.5 KiB
Diff
47 lines
1.5 KiB
Diff
From fcfa5b516c43c0a8eabede226ec8df7852328339 Mon Sep 17 00:00:00 2001
|
|
From: Even Rouault <even.rouault@spatialys.com>
|
|
Date: Sun, 5 Nov 2023 04:42:11 +0800
|
|
Subject: [PATCH 2/2] TIFFReadRGBAStrip/TIFFReadRGBATile: add more validation
|
|
of col/row (fixes #622)
|
|
|
|
---
|
|
libtiff/tif_getimage.c | 15 +++++++++++++++
|
|
1 file changed, 15 insertions(+)
|
|
|
|
diff --git a/libtiff/tif_getimage.c b/libtiff/tif_getimage.c
|
|
index 9a2e0c5..ca4d227 100644
|
|
--- a/libtiff/tif_getimage.c
|
|
+++ b/libtiff/tif_getimage.c
|
|
@@ -2942,6 +2942,13 @@ TIFFReadRGBAStripExt(TIFF* tif, uint32_t row, uint32_t * raster, int stop_on_err
|
|
}
|
|
|
|
if (TIFFRGBAImageOK(tif, emsg) && TIFFRGBAImageBegin(&img, tif, stop_on_error, emsg)) {
|
|
+ if (row >= img.height)
|
|
+ {
|
|
+ TIFFErrorExt(tif->tif_clientdata, TIFFFileName(tif),
|
|
+ "Invalid row passed to TIFFReadRGBAStrip().");
|
|
+ TIFFRGBAImageEnd(&img);
|
|
+ return (0);
|
|
+ }
|
|
|
|
img.row_offset = row;
|
|
img.col_offset = 0;
|
|
@@ -3018,6 +3025,14 @@ TIFFReadRGBATileExt(TIFF* tif, uint32_t col, uint32_t row, uint32_t * raster, in
|
|
return( 0 );
|
|
}
|
|
|
|
+ if (col >= img.width || row >= img.height)
|
|
+ {
|
|
+ TIFFErrorExt(tif->tif_clientdata, TIFFFileName(tif),
|
|
+ "Invalid row/col passed to TIFFReadRGBATile().");
|
|
+ TIFFRGBAImageEnd(&img);
|
|
+ return (0);
|
|
+ }
|
|
+
|
|
/*
|
|
* The TIFFRGBAImageGet() function doesn't allow us to get off the
|
|
* edge of the image, even to fill an otherwise valid tile. So we
|
|
--
|
|
2.33.0
|
|
|