From 343118c63c163684ac1ed7b6c31d8d61bb43fe55 Mon Sep 17 00:00:00 2001
From: Even Rouault <[EMAIL REDACTED]>
Date: Mon, 10 Oct 2022 22:23:07 +0200
Subject: [PATCH] TIFFAdvanceDirectory(): fix unsigned-integer-overflow in
mapped case
Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=52309
---
libtiff/tif_dir.c | 14 ++++++++++++--
1 file changed, 12 insertions(+), 2 deletions(-)
diff --git a/libtiff/tif_dir.c b/libtiff/tif_dir.c
index 1c8bb255..9b153b63 100644
--- a/libtiff/tif_dir.c
+++ b/libtiff/tif_dir.c
@@ -1633,9 +1633,14 @@ TIFFAdvanceDirectory(TIFF* tif, uint64_t* nextdiroff, uint64_t* off, uint16_t* n
tmsize_t poffa,poffb,poffc,poffd;
uint64_t dircount64;
uint16_t dircount16;
+ if( poff > (uint64_t)TIFF_TMSIZE_T_MAX - sizeof(uint64_t) )
+ {
+ TIFFErrorExt(tif->tif_clientdata,module,"Error fetching directory count");
+ return(0);
+ }
poffa=(tmsize_t)poff;
poffb=poffa+sizeof(uint64_t);
- if (((uint64_t)poffa != poff) || (poffb < poffa) || (poffb < (tmsize_t)sizeof(uint64_t)) || (poffb > tif->tif_size))
+ if (poffb > tif->tif_size)
{
TIFFErrorExt(tif->tif_clientdata,module,"Error fetching directory count");
return(0);
@@ -1649,9 +1654,14 @@ TIFFAdvanceDirectory(TIFF* tif, uint64_t* nextdiroff, uint64_t* off, uint16_t* n
return(0);
}
dircount16=(uint16_t)dircount64;
+ if( poffb > TIFF_TMSIZE_T_MAX - (tmsize_t)(dircount16*20) - (tmsize_t)sizeof(uint64_t) )
+ {
+ TIFFErrorExt(tif->tif_clientdata,module,"Error fetching directory link");
+ return(0);
+ }
poffc=poffb+dircount16*20;
poffd=poffc+sizeof(uint64_t);
- if ((poffc<poffb) || (poffc<dircount16*20) || (poffd<poffc) || (poffd<(tmsize_t)sizeof(uint64_t)) || (poffd > tif->tif_size))
+ if (poffd > tif->tif_size)
{
TIFFErrorExt(tif->tif_clientdata,module,"Error fetching directory link");
return(0);