| From 9be22b639ea69e102d3847dca4c53ef025e9527b Mon Sep 17 00:00:00 2001 |
| From: Even Rouault <even.rouault@spatialys.com> |
| Date: Sat, 29 Apr 2023 12:20:46 +0200 |
| Subject: [PATCH] LZWDecode(): avoid crash when trying to read again from a |
| strip whith a missing end-of-information marker (fixes #548) |
| |
| CVE: CVE-2023-2731 |
| Upstream-Status: Backport [https://gitlab.com/libtiff/libtiff/-/commit/9be22b639ea69e102d3847dca4c53ef025e9527b] |
| |
| --- |
| libtiff/tif_lzw.c | 5 +++++ |
| 1 file changed, 5 insertions(+) |
| |
| diff --git a/libtiff/tif_lzw.c b/libtiff/tif_lzw.c |
| index ba75a07e..d631fa10 100644 |
| --- a/libtiff/tif_lzw.c |
| +++ b/libtiff/tif_lzw.c |
| @@ -423,6 +423,10 @@ static int LZWDecode(TIFF *tif, uint8_t *op0, tmsize_t occ0, uint16_t s) |
| |
| if (sp->read_error) |
| { |
| + TIFFErrorExtR(tif, module, |
| + "LZWDecode: Scanline %" PRIu32 " cannot be read due to " |
| + "previous error", |
| + tif->tif_row); |
| return 0; |
| } |
| |
| @@ -742,6 +746,7 @@ after_loop: |
| return (1); |
| |
| no_eoi: |
| + sp->read_error = 1; |
| TIFFErrorExtR(tif, module, |
| "LZWDecode: Strip %" PRIu32 " not terminated with EOI code", |
| tif->tif_curstrip); |
| -- |
| 2.34.1 |
| |