1
From 1f7359b00663804d96c3a102bcb6ead9812c1509 Mon Sep 17 00:00:00 2001
2
From: erouault <erouault>
3
Date: Tue, 23 Dec 2014 10:15:35 +0000
4
Subject: [PATCH] * libtiff/tif_read.c: fix several invalid comparisons of a
5
uint64 value with <= 0 by casting it to int64 first. This solves crashing bug
6
on corrupted images generated by afl.
10
libtiff/tif_read.c | 6 +++---
11
2 files changed, 9 insertions(+), 3 deletions(-)
13
Index: tiff-3.9.5/libtiff/tif_read.c
14
===================================================================
15
--- tiff-3.9.5.orig/libtiff/tif_read.c 2015-03-30 07:50:30.550858302 -0400
16
+++ tiff-3.9.5/libtiff/tif_read.c 2015-03-30 07:51:56.627609221 -0400
18
return ((tsize_t) -1);
20
bytecount = td->td_stripbytecount[strip];
21
- if (bytecount <= 0) {
22
+ if ((int64)bytecount <= 0) {
23
TIFFErrorExt(tif->tif_clientdata, tif->tif_name,
24
"%lu: Invalid strip byte count, strip %lu",
25
(unsigned long) bytecount, (unsigned long) strip);
27
* So we are using uint32 instead of tsize_t here.
29
uint32 bytecount = td->td_stripbytecount[strip];
30
- if (bytecount <= 0) {
31
+ if ((int64)bytecount <= 0) {
32
TIFFErrorExt(tif->tif_clientdata, module,
33
"%s: Invalid strip byte count %lu, strip %lu",
34
tif->tif_name, (unsigned long) bytecount,
36
* So we are using uint32 instead of tsize_t here.
38
uint32 bytecount = td->td_stripbytecount[tile];
39
- if (bytecount <= 0) {
40
+ if ((int64)bytecount <= 0) {
41
TIFFErrorExt(tif->tif_clientdata, tif->tif_name,
42
"%lu: Invalid tile byte count, tile %lu",
43
(unsigned long) bytecount, (unsigned long) tile);