From 32ebc9082e6e3f79e5177ff91c58503874ba14a6 Mon Sep 17 00:00:00 2001 From: Eirik Aavitsland Date: Wed, 24 Feb 2021 14:55:10 +0100 Subject: Avoid oob access when reading certain corrupt tiled tiffs MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Add check against corrupt tiffs where libtiff can report conflicting values of tile width, length and byte size. This issue was reported by Samuel Groß and Natalie Silvanovich of Google Project Zero. Change-Id: Icb9c20317746190c446c93b474f5c490a805551c Reviewed-by: Allan Sandfeld Jensen Reviewed-by: Volker Hilsheimer (cherry picked from commit 0709cda6fa836ac222a06062abc3fd3ac0730c12) Reviewed-by: Qt Cherry-pick Bot --- src/plugins/imageformats/tiff/qtiffhandler.cpp | 11 ++++++++--- 1 file changed, 8 insertions(+), 3 deletions(-) diff --git a/src/plugins/imageformats/tiff/qtiffhandler.cpp b/src/plugins/imageformats/tiff/qtiffhandler.cpp index 9ddaab8..d9e5478 100644 --- a/src/plugins/imageformats/tiff/qtiffhandler.cpp +++ b/src/plugins/imageformats/tiff/qtiffhandler.cpp @@ -423,14 +423,19 @@ bool QTiffHandler::read(QImage *image) quint32 tileWidth, tileLength; TIFFGetField(tiff, TIFFTAG_TILEWIDTH, &tileWidth); TIFFGetField(tiff, TIFFTAG_TILELENGTH, &tileLength); - uchar *buf = (uchar *)_TIFFmalloc(TIFFTileSize(tiff)); - if (!tileWidth || !tileLength || !buf) { - _TIFFfree(buf); + if (!tileWidth || !tileLength || tileWidth % 16 || tileLength % 16) { d->close(); return false; } quint32 byteWidth = (format == QImage::Format_Mono) ? (width + 7)/8 : (width * bytesPerPixel); quint32 byteTileWidth = (format == QImage::Format_Mono) ? tileWidth/8 : (tileWidth * bytesPerPixel); + tmsize_t byteTileSize = TIFFTileSize(tiff); + uchar *buf = (uchar *)_TIFFmalloc(byteTileSize); + if (!buf || byteTileSize / tileLength < byteTileWidth) { + _TIFFfree(buf); + d->close(); + return false; + } for (quint32 y = 0; y < height; y += tileLength) { for (quint32 x = 0; x < width; x += tileWidth) { if (TIFFReadTile(tiff, buf, x, y, 0, 0) < 0) { -- cgit v1.2.3