Skip to content

Commit e25be1e

Browse files
wiredfoolradarhere
wiredfool
authored and
radarhere
committed
Fix negative size read in TiffDecode.c
* Caught by oss-fuzz runs * CVE-2021-25290
1 parent f891baa commit e25be1e

8 files changed

+11
-1
lines changed

Tests/images/crash-0c7e0e8e11ce787078f00b5b0ca409a167f070e0.tif

2.47 KB
Binary file not shown.

Tests/images/crash-1185209cf7655b5aed8ae5e77784dfdd18ab59e9.tif

1.89 KB
Binary file not shown.

Tests/images/crash-338516dbd2f0e83caddb8ce256c22db3bd6dc40f.tif

4.57 KB
Binary file not shown.

Tests/images/crash-4f085cc12ece8cde18758d42608bed6a2a2cfb1c.tif

3.96 KB
Binary file not shown.

Tests/images/crash-86214e58da443d2b80820cff9677a38a33dcbbca.tif

286 Bytes
Binary file not shown.

Tests/images/crash-f46f5b2f43c370fe65706c11449f567ecc345e74.tif

1.8 KB
Binary file not shown.

Tests/test_tiff_crashes.py

+7-1
Original file line numberDiff line numberDiff line change
@@ -24,8 +24,14 @@
2424
"Tests/images/crash_1.tif",
2525
"Tests/images/crash_2.tif",
2626
"Tests/images/crash-2020-10-test.tif",
27-
"Tests/images/crash-1152ec2d1a1a71395b6f2ce6721c38924d025bf3.tif",
27+
"Tests/images/crash-0c7e0e8e11ce787078f00b5b0ca409a167f070e0.tif",
2828
"Tests/images/crash-0e16d3bfb83be87356d026d66919deaefca44dac.tif",
29+
"Tests/images/crash-1152ec2d1a1a71395b6f2ce6721c38924d025bf3.tif",
30+
"Tests/images/crash-1185209cf7655b5aed8ae5e77784dfdd18ab59e9.tif",
31+
"Tests/images/crash-338516dbd2f0e83caddb8ce256c22db3bd6dc40f.tif",
32+
"Tests/images/crash-4f085cc12ece8cde18758d42608bed6a2a2cfb1c.tif",
33+
"Tests/images/crash-86214e58da443d2b80820cff9677a38a33dcbbca.tif",
34+
"Tests/images/crash-f46f5b2f43c370fe65706c11449f567ecc345e74.tif",
2935
],
3036
)
3137
@pytest.mark.filterwarnings("ignore:Possibly corrupt EXIF data")

src/libImaging/TiffDecode.c

+4
Original file line numberDiff line numberDiff line change
@@ -47,6 +47,10 @@ tsize_t _tiffReadProc(thandle_t hdata, tdata_t buf, tsize_t size) {
4747
TRACE(("_tiffReadProc: %d \n", (int)size));
4848
dump_state(state);
4949

50+
if (state->loc > state->eof) {
51+
TIFFError("_tiffReadProc", "Invalid Read at loc %d, eof: %d", state->loc, state->eof);
52+
return 0;
53+
}
5054
to_read = min(size, min(state->size, (tsize_t)state->eof) - (tsize_t)state->loc);
5155
TRACE(("to_read: %d\n", (int)to_read));
5256

0 commit comments

Comments
 (0)