Index: third_party/libtiff/tif_next.c |
diff --git a/third_party/libtiff/tif_next.c b/third_party/libtiff/tif_next.c |
index 17e031111a195a56c70e1e02df6d5a4439676e88..b2076a0b01755bf976ddc31b6f5df3629c28fc05 100644 |
--- a/third_party/libtiff/tif_next.c |
+++ b/third_party/libtiff/tif_next.c |
@@ -37,7 +37,7 @@ |
case 0: op[0] = (unsigned char) ((v) << 6); break; \ |
case 1: op[0] |= (v) << 4; break; \ |
case 2: op[0] |= (v) << 2; break; \ |
- case 3: *op++ |= (v); break; \ |
+ case 3: *op++ |= (v); op_offset++; break; \ |
} \ |
} |
@@ -106,6 +106,7 @@ NeXTDecode(TIFF* tif, uint8* buf, tmsize_t occ, uint16 s) |
uint32 imagewidth = tif->tif_dir.td_imagewidth; |
if( isTiled(tif) ) |
imagewidth = tif->tif_dir.td_tilewidth; |
+ tmsize_t op_offset = 0; |
/* |
* The scanline is composed of a sequence of constant |
@@ -122,10 +123,15 @@ NeXTDecode(TIFF* tif, uint8* buf, tmsize_t occ, uint16 s) |
* bounds, potentially resulting in a security |
* issue. |
*/ |
- while (n-- > 0 && npixels < imagewidth) |
+ while (n-- > 0 && npixels < imagewidth && op_offset < scanline) |
SETPIXEL(op, grey); |
if (npixels >= imagewidth) |
break; |
+ if (op_offset >= scanline ) { |
+ TIFFErrorExt(tif->tif_clientdata, module, "Invalid data for scanline %ld", |
+ (long) tif->tif_row); |
+ return (0); |
+ } |
if (cc == 0) |
goto bad; |
n = *bp++, cc--; |