1 From 66e7bd59520996740e4df5495a830b42fae48bc4 Mon Sep 17 00:00:00 2001
2 From: erouault <erouault>
3 Date: Wed, 11 Jan 2017 16:33:34 +0000
4 Subject: [PATCH] * libtiff/tif_read.c: avoid potential undefined behaviour on
5 signed integer addition in TIFFReadRawStrip1() in isMapped() case. Fixes
6 http://bugzilla.maptools.org/show_bug.cgi?id=2650
10 libtiff/tif_read.c | 27 ++++++++++++++++++---------
11 2 files changed, 24 insertions(+), 9 deletions(-)
13 diff --git a/ChangeLog b/ChangeLog
14 index 8e202a2..3e31464 100644
18 2017-01-11 Even Rouault <even.rouault at spatialys.com>
20 + * libtiff/tif_read.c: avoid potential undefined behaviour on signed integer
21 + addition in TIFFReadRawStrip1() in isMapped() case.
22 + Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2650
24 +2017-01-11 Even Rouault <even.rouault at spatialys.com>
26 * libtiff/tif_jpeg.c: validate BitsPerSample in JPEGSetupEncode() to avoid
27 undefined behaviour caused by invalid shift exponent.
28 Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2648
29 diff --git a/libtiff/tif_read.c b/libtiff/tif_read.c
30 index 52bbf50..b7aacbd 100644
31 --- a/libtiff/tif_read.c
32 +++ b/libtiff/tif_read.c
33 @@ -420,16 +420,25 @@ TIFFReadRawStrip1(TIFF* tif, uint32 strip, void* buf, tmsize_t size,
34 return ((tmsize_t)(-1));
40 - ma=(tmsize_t)td->td_stripoffset[strip];
42 - if ((td->td_stripoffset[strip] > (uint64)TIFF_TMSIZE_T_MAX)||(ma>tif->tif_size))
44 - else if ((mb<ma)||(mb<size)||(mb>tif->tif_size))
48 + if ((td->td_stripoffset[strip] > (uint64)TIFF_TMSIZE_T_MAX)||
49 + ((ma=(tmsize_t)td->td_stripoffset[strip])>tif->tif_size))
53 + else if( ma > TIFF_TMSIZE_T_MAX - size )
59 + tmsize_t mb=ma+size;
60 + if (mb>tif->tif_size)
66 #if defined(__WIN32__) && (defined(_MSC_VER) || defined(__MINGW32__))
67 TIFFErrorExt(tif->tif_clientdata, module,