Avoid oob access when reading certain corrupt tiled tiffs

Add check against corrupt tiffs where libtiff can report conflicting
values of tile width, length and byte size.

This issue was reported by Samuel Groß and Natalie Silvanovich of
Google Project Zero.

Change-Id: Icb9c20317746190c446c93b474f5c490a805551c
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
Reviewed-by: Volker Hilsheimer <volker.hilsheimer@qt.io>
(cherry picked from commit 0709cda6fa836ac222a06062abc3fd3ac0730c12)

1 files changed, 8 insertions, 3 deletions

diff --git a/src/plugins/imageformats/tiff/qtiffhandler.cpp b/src/plugins/imageformats/tiff/qtiffhandler.cpp
index c05db81..34b2bb7 100644
--- a/src/plugins/imageformats/tiff/qtiffhandler.cpp
+++ b/src/plugins/imageformats/tiff/qtiffhandler.cpp
@@ -423,14 +423,19 @@ bool QTiffHandler::read(QImage *image)
             quint32 tileWidth, tileLength;
             TIFFGetField(tiff, TIFFTAG_TILEWIDTH, &tileWidth);
             TIFFGetField(tiff, TIFFTAG_TILELENGTH, &tileLength);
-            uchar *buf = (uchar *)_TIFFmalloc(TIFFTileSize(tiff));
-            if (!tileWidth || !tileLength || !buf) {
-                _TIFFfree(buf);
+            if (!tileWidth || !tileLength || tileWidth % 16 || tileLength % 16) {
                 d->close();
                 return false;
             }
             quint32 byteWidth = (format == QImage::Format_Mono) ? (width + 7)/8 : (width * bytesPerPixel);
             quint32 byteTileWidth = (format == QImage::Format_Mono) ? tileWidth/8 : (tileWidth * bytesPerPixel);
+            tmsize_t byteTileSize = TIFFTileSize(tiff);
+            uchar *buf = (uchar *)_TIFFmalloc(byteTileSize);
+            if (!buf || byteTileSize / tileLength < byteTileWidth) {
+                _TIFFfree(buf);
+                d->close();
+                return false;
+            }
             for (quint32 y = 0; y < height; y += tileLength) {
                 for (quint32 x = 0; x < width; x += tileWidth) {
                     if (TIFFReadTile(tiff, buf, x, y, 0, 0) < 0) {