Andrew Geissler | 7e0e3c0 | 2022-02-25 20:34:39 +0000 | [diff] [blame] | 1 | From eecb0712f4c3a5b449f70c57988260a667ddbdef Mon Sep 17 00:00:00 2001 |
| 2 | From: Even Rouault <even.rouault@spatialys.com> |
| 3 | Date: Sun, 6 Feb 2022 13:08:38 +0100 |
| 4 | Subject: [PATCH] TIFFFetchStripThing(): avoid calling memcpy() with a null |
| 5 | source pointer and size of zero (fixes #362) |
| 6 | |
| 7 | Upstream-Status: Backport |
| 8 | CVE: CVE-2022-0561 |
| 9 | |
| 10 | --- |
| 11 | libtiff/tif_dirread.c | 5 +++-- |
| 12 | 1 file changed, 3 insertions(+), 2 deletions(-) |
| 13 | |
| 14 | diff --git a/libtiff/tif_dirread.c b/libtiff/tif_dirread.c |
| 15 | index 23194ced..50ebf8ac 100644 |
| 16 | --- a/libtiff/tif_dirread.c |
| 17 | +++ b/libtiff/tif_dirread.c |
| 18 | @@ -5777,8 +5777,9 @@ TIFFFetchStripThing(TIFF* tif, TIFFDirEntry* dir, uint32_t nstrips, uint64_t** l |
| 19 | _TIFFfree(data); |
| 20 | return(0); |
| 21 | } |
| 22 | - _TIFFmemcpy(resizeddata,data, (uint32_t)dir->tdir_count * sizeof(uint64_t)); |
| 23 | - _TIFFmemset(resizeddata+(uint32_t)dir->tdir_count, 0, (nstrips - (uint32_t)dir->tdir_count) * sizeof(uint64_t)); |
| 24 | + if( dir->tdir_count ) |
| 25 | + _TIFFmemcpy(resizeddata,data, (uint32_t)dir->tdir_count * sizeof(uint64_t)); |
| 26 | + _TIFFmemset(resizeddata+(uint32_t)dir->tdir_count, 0, (nstrips - (uint32_t)dir->tdir_count) * sizeof(uint64_t)); |
| 27 | _TIFFfree(data); |
| 28 | data=resizeddata; |
| 29 | } |
| 30 | -- |
| 31 | GitLab |
| 32 | |