Skip to content

Commit

Permalink
Fix for CVE-2021-25291
Browse files Browse the repository at this point in the history
* Invalid tile boundaries lead to OOB Read in TiffDecode.c, in TiffReadRGBATile
* Check the tile validity before attempting to read.
  • Loading branch information
wiredfool authored and radarhere committed Mar 1, 2021
1 parent e25be1e commit 8b8076b
Show file tree
Hide file tree
Showing 3 changed files with 10 additions and 0 deletions.
Binary file not shown.
1 change: 1 addition & 0 deletions Tests/test_tiff_crashes.py
Original file line number Diff line number Diff line change
Expand Up @@ -32,6 +32,7 @@
"Tests/images/crash-4f085cc12ece8cde18758d42608bed6a2a2cfb1c.tif",
"Tests/images/crash-86214e58da443d2b80820cff9677a38a33dcbbca.tif",
"Tests/images/crash-f46f5b2f43c370fe65706c11449f567ecc345e74.tif",
"Tests/images/crash-63b1dffefc8c075ddc606c0a2f5fdc15ece78863.tif",
],
)
@pytest.mark.filterwarnings("ignore:Possibly corrupt EXIF data")
Expand Down
9 changes: 9 additions & 0 deletions src/libImaging/TiffDecode.c
Original file line number Diff line number Diff line change
Expand Up @@ -479,6 +479,15 @@ int ImagingLibTiffDecode(Imaging im, ImagingCodecState state, UINT8* buffer, Py_

for (y = state->yoff; y < state->ysize; y += tile_length) {
for (x = state->xoff; x < state->xsize; x += tile_width) {
/* Sanity Check. Apparently in some cases, the TiffReadRGBA* functions
have a different view of the size of the tiff than we're getting from
other functions. So, we need to check here.
*/
if (!TIFFCheckTile(tiff, x, y, 0, 0)) {
TRACE(("Check Tile Error, Tile at %dx%d\n", x, y));
state->errcode = IMAGING_CODEC_BROKEN;
goto decode_err;
}
if (isYCbCr) {
/* To avoid dealing with YCbCr subsampling, let libtiff handle it */
if (!TIFFReadRGBATile(tiff, x, y, (UINT32 *)state->buffer)) {
Expand Down

0 comments on commit 8b8076b

Please sign in to comment.