Evolution-x/external_piex
1
0
Fork 0
mirror of https://github.com/Evolution-X/external_piex synced 2026-02-01 07:35:29 +00:00
Code Issues Packages Projects Releases Wiki Activity

Fix heap buffer overflows in GetFullCropDimension in tiff_parser.cc

Browse Source 
Author: timurrrr@google.com

Bug: 73646839
Bug: 62307613
Bug: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=6347
This commit is contained in:
Leon Scroggins III
2018-02-21 06:46:27 -05:00
committed by Leon Scroggins
parent cc441e44be
commit f7fc905cff
1 changed files with 28 additions and 10 deletions
Download Patch File Download Diff File Expand all files Collapse all files

38
src/tiff_parser.cc
View File

@@ -596,23 +596,41 @@ bool GetFullDimension32(const TiffDirectory& tiff_directory,
bool GetFullCropDimension(const tiff_directory::TiffDirectory& tiff_directory,
std::uint32_t* width, std::uint32_t* height) {
if (tiff_directory.Has(kExifTagDefaultCropSize)) {
std::vector<std::uint32_t> crop(2);
std::vector<Rational> crop_rational(2);
if (tiff_directory.Get(kExifTagDefaultCropSize, &crop)) {
if (!tiff_directory.Has(kExifTagDefaultCropSize)) {
// This doesn't look right to return true here, as we have not written
// anything to *width and *height. However, changing the return value here
// causes a whole bunch of tests to fail.
// TODO(timurrrr): Return false and fix the tests.
// In fact, this whole if() seems to be not needed,
// as tiff_directory(kExifTagDefaultCropSize) will return false below.
return true;
}
std::vector<std::uint32_t> crop(2);
if (tiff_directory.Get(kExifTagDefaultCropSize, &crop)) {
if (crop.size() == 2 && crop[0] > 0 && crop[1] > 0) {
*width = crop[0];
*height = crop[1];
} else if (tiff_directory.Get(kExifTagDefaultCropSize, &crop_rational) &&
crop_rational[0].denominator != 0 &&
crop_rational[1].denominator != 0) {
*width = crop_rational[0].numerator / crop_rational[0].denominator;
*height = crop_rational[1].numerator / crop_rational[1].denominator;
return true;
} else {
return false;
}
}
return true;
std::vector<Rational> crop_rational(2);
if (tiff_directory.Get(kExifTagDefaultCropSize, &crop_rational)) {
if (crop_rational.size() == 2 && crop_rational[0].numerator > 0 &&
crop_rational[0].denominator > 0 && crop_rational[1].numerator > 0 &&
crop_rational[1].denominator > 0) {
*width = crop_rational[0].numerator / crop_rational[0].denominator;
*height = crop_rational[1].numerator / crop_rational[1].denominator;
return true;
} else {
return false;
}
}
return false;
}
TiffParser::TiffParser(StreamInterface* stream) : stream_(stream) {}