34 lines
1.1 KiB
Diff
34 lines
1.1 KiB
Diff
Index: tiff-4.6.0/libtiff/tif_getimage.c
|
|
===================================================================
|
|
--- tiff-4.6.0.orig/libtiff/tif_getimage.c
|
|
+++ tiff-4.6.0/libtiff/tif_getimage.c
|
|
@@ -3224,6 +3224,13 @@ int TIFFReadRGBAStripExt(TIFF *tif, uint
|
|
if (TIFFRGBAImageOK(tif, emsg) &&
|
|
TIFFRGBAImageBegin(&img, tif, stop_on_error, emsg))
|
|
{
|
|
+ if (row >= img.height)
|
|
+ {
|
|
+ TIFFErrorExtR(tif, TIFFFileName(tif),
|
|
+ "Invalid row passed to TIFFReadRGBAStrip().");
|
|
+ TIFFRGBAImageEnd(&img);
|
|
+ return (0);
|
|
+ }
|
|
|
|
img.row_offset = row;
|
|
img.col_offset = 0;
|
|
@@ -3301,6 +3308,14 @@ int TIFFReadRGBATileExt(TIFF *tif, uint3
|
|
return (0);
|
|
}
|
|
|
|
+ if (col >= img.width || row >= img.height)
|
|
+ {
|
|
+ TIFFErrorExtR(tif, TIFFFileName(tif),
|
|
+ "Invalid row/col passed to TIFFReadRGBATile().");
|
|
+ TIFFRGBAImageEnd(&img);
|
|
+ return (0);
|
|
+ }
|
|
+
|
|
/*
|
|
* The TIFFRGBAImageGet() function doesn't allow us to get off the
|
|
* edge of the image, even to fill an otherwise valid tile. So we
|