[Secure-testing-team] Bug#846838: tiff: divide-by-zero in readSeparateStripsIntoBuffer
Salvatore Bonaccorso
carnil at debian.org
Sat Dec 3 16:45:25 UTC 2016
Source: tiff
Version: 4.0.3-12.3
Severity: normal
Tags: security upstream
Forwarded: http://bugzilla.maptools.org/show_bug.cgi?id=2619
Hi
This was forwarded to upstream to
http://bugzilla.maptools.org/show_bug.cgi?id=2619 . From a quick look
at the code:
4756 static int readSeparateStripsIntoBuffer (TIFF *in, uint8 *obuf, uint32 length,
4757 uint32 width, uint16 spp,
4758 struct dump_opts *dump)
4759 {
[...]
4766 uint32 src_rowsize, dst_rowsize, rows_processed, rps;
[...]
4796 src_rowsize = ((bps * width) + 7) / 8;
[...]
4833 rows_processed = 0;
4834 for (j = 0; (j < strips_per_sample) && (result == 1); j++)
4835 {
4836 for (s = 0; (s < spp) && (s < MAX_SAMPLES); s++)
4837 {
4838 buff = srcbuffs[s];
4839 strip = (s * strips_per_sample) + j;
4840 bytes_read = TIFFReadEncodedStrip (in, strip, buff, stripsize);
4841 rows_this_strip = bytes_read / src_rowsize;
would lead to a division-by-zero in tiffcrop if bps would be zero.
I have not reasearched when this could happen.
Regards,
Salvatore
More information about the Secure-testing-team
mailing list