--------------------- PatchSet 2876 Date: 2014/12/29 14:09:11 Author: erouault Branch: HEAD Tag: (none) Log: * libtiff/tif_next.c: add new tests to check that we don't read outside of the compressed input stream buffer. * libtiff/tif_getimage.c: in OJPEG case, fix checks on strile width/height Members: ChangeLog:1.980->1.981 libtiff/tif_getimage.c:1.85->1.86 libtiff/tif_next.c:1.15->1.16 Index: libtiff/libtiff/tif_getimage.c diff -u libtiff/libtiff/tif_getimage.c:1.85 libtiff/libtiff/tif_getimage.c:1.86 --- libtiff/libtiff/tif_getimage.c:1.85 Thu Dec 25 13:29:11 2014 +++ libtiff/libtiff/tif_getimage.c Mon Dec 29 07:09:11 2014 @@ -1871,7 +1871,7 @@ (void) y; fromskew = (fromskew * 10) / 4; - if ((h & 3) == 0 && (w & 1) == 0) { + if ((w & 3) == 0 && (h & 1) == 0) { for (; h >= 2; h -= 2) { x = w>>2; do { @@ -1948,7 +1948,7 @@ /* XXX adjust fromskew */ do { x = w>>2; - do { + while(x>0) { int32 Cb = pp[4]; int32 Cr = pp[5]; @@ -1959,7 +1959,8 @@ cp += 4; pp += 6; - } while (--x); + x--; + } if( (w&3) != 0 ) { @@ -2050,7 +2051,7 @@ fromskew = (fromskew * 4) / 2; do { x = w>>1; - do { + while(x>0) { int32 Cb = pp[2]; int32 Cr = pp[3]; @@ -2059,7 +2060,8 @@ cp += 2; pp += 4; - } while (--x); + x --; + } if( (w&1) != 0 ) { Index: libtiff/libtiff/tif_next.c diff -u libtiff/libtiff/tif_next.c:1.15 libtiff/libtiff/tif_next.c:1.16 --- libtiff/libtiff/tif_next.c:1.15 Sun Dec 21 13:07:48 2014 +++ libtiff/libtiff/tif_next.c Mon Dec 29 07:09:11 2014 @@ -71,7 +71,7 @@ TIFFErrorExt(tif->tif_clientdata, module, "Fractional scanlines cannot be read"); return (0); } - for (row = buf; occ > 0; occ -= scanline, row += scanline) { + for (row = buf; cc > 0 && occ > 0; occ -= scanline, row += scanline) { n = *bp++, cc--; switch (n) { case LITERALROW: @@ -90,6 +90,8 @@ * The scanline has a literal span that begins at some * offset. */ + if( cc < 4 ) + goto bad; off = (bp[0] * 256) + bp[1]; n = (bp[2] * 256) + bp[3]; if (cc < 4+n || off+n > scanline)