Headline
CVE-2022-1622: tif_lzw.c: fix potential out-of-bounds error when trying to read in the same... (b4e79bfa) · Commits · libtiff / libtiff · GitLab
LibTIFF master branch has an out-of-bounds read in LZWDecode in libtiff/tif_lzw.c:619, allowing attackers to cause a denial-of-service via a crafted tiff file. For users that compile libtiff from sources, the fix is available with commit b4e79bfa.
Verified Commit b4e79bfa authored Apr 22, 2022 by
Browse files
tif_lzw.c: fix potential out-of-bounds error when trying to read in the same…
tif_lzw.c: fix potential out-of-bounds error when trying to read in the same tile/strip after an error has occured (fixes #410)
Pipeline #522686789 passed with stages
in 9 minutes and 37 seconds
- Changes 1
- Pipelines 1
…
…
@@ -140,6 +140,7 @@ typedef struct {
code_t* dec_free_entp; /* next free entry */
code_t* dec_maxcodep; /* max available entry */
code_t* dec_codetab; /* kept separate for small machines */
int read_error; /* whether a read error has occured, and which should cause further reads in the same strip/tile to be aborted */
/* Encoding specific data */
int enc_oldcode; /* last code encountered */
…
…
@@ -307,6 +308,7 @@ LZWPreDecode(TIFF* tif, uint16_t s)
*/
sp->dec_oldcodep = &sp->dec_codetab[0];
sp->dec_maxcodep = &sp->dec_codetab[sp->dec_nbitsmask-1];
sp->read_error = 0;
return (1);
}
…
…
@@ -399,7 +401,11 @@ LZWDecode(TIFF* tif, uint8_t* op0, tmsize_t occ0, uint16_t s)
(void) s;
assert(sp != NULL);
assert(sp->dec_codetab != NULL);
assert(sp->dec_codetab != NULL);
if (sp->read_error) {
return 0;
}
/*
* Restart interrupted output operation.
…
…
@@ -704,6 +710,7 @@ no_eoi:
tif->tif_curstrip);
return 0;
error_code:
sp->read_error = 1;
TIFFErrorExt(tif->tif_clientdata, tif->tif_name, “Using code not yet in table”);
return 0;
}
…
…
mentioned in issue #410 (closed)
mentioned in issue #410
Related news
Debian Linux Security Advisory 5333-1 - Several buffer overflow, divide by zero or out of bounds read/write vulnerabilities were discovered in tiff, the Tag Image File Format (TIFF) library and tools, which may cause denial of service when processing a crafted TIFF image.
A memory corruption issue existed in the processing of ICC profiles. This issue was addressed with improved input validation. This issue is fixed in macOS Ventura 13. Processing a maliciously crafted image may lead to arbitrary code execution.
This issue was addressed with improved entitlements. This issue is fixed in iOS 16, watchOS 9. An app may be able to read a persistent device identifier.
A logic issue was addressed with improved state management. This issue is fixed in iOS 16. Deleted contacts may still appear in spotlight search results.
A use after free issue was addressed with improved memory management. This issue is fixed in tvOS 16, iOS 16, watchOS 9. An app may be able to execute arbitrary code with kernel privileges.
Apple Security Advisory 2022-10-27-13 - watchOS 9 addresses buffer overflow, bypass, code execution, out of bounds read, out of bounds write, spoofing, and use-after-free vulnerabilities.
Apple Security Advisory 2022-10-27-11 - tvOS 16 addresses buffer overflow, code execution, out of bounds read, out of bounds write, spoofing, and use-after-free vulnerabilities.