blob: 74f9649fdf11ce182f96ed72dcf46110019f4221 [file] [log] [blame]
Andrew Geissler7e0e3c02022-02-25 20:34:39 +00001From eecb0712f4c3a5b449f70c57988260a667ddbdef Mon Sep 17 00:00:00 2001
2From: Even Rouault <even.rouault@spatialys.com>
3Date: Sun, 6 Feb 2022 13:08:38 +0100
4Subject: [PATCH] TIFFFetchStripThing(): avoid calling memcpy() with a null
5 source pointer and size of zero (fixes #362)
6
7Upstream-Status: Backport
8CVE: CVE-2022-0561
9
10---
11 libtiff/tif_dirread.c | 5 +++--
12 1 file changed, 3 insertions(+), 2 deletions(-)
13
14diff --git a/libtiff/tif_dirread.c b/libtiff/tif_dirread.c
15index 23194ced..50ebf8ac 100644
16--- a/libtiff/tif_dirread.c
17+++ b/libtiff/tif_dirread.c
18@@ -5777,8 +5777,9 @@ TIFFFetchStripThing(TIFF* tif, TIFFDirEntry* dir, uint32_t nstrips, uint64_t** l
19 _TIFFfree(data);
20 return(0);
21 }
22- _TIFFmemcpy(resizeddata,data, (uint32_t)dir->tdir_count * sizeof(uint64_t));
23- _TIFFmemset(resizeddata+(uint32_t)dir->tdir_count, 0, (nstrips - (uint32_t)dir->tdir_count) * sizeof(uint64_t));
24+ if( dir->tdir_count )
25+ _TIFFmemcpy(resizeddata,data, (uint32_t)dir->tdir_count * sizeof(uint64_t));
26+ _TIFFmemset(resizeddata+(uint32_t)dir->tdir_count, 0, (nstrips - (uint32_t)dir->tdir_count) * sizeof(uint64_t));
27 _TIFFfree(data);
28 data=resizeddata;
29 }
30--
31GitLab
32