[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: tiff / CVE-2018-7456

Hugo Lefeuvre <hle@debian.org> writes:

> Under certain conditions, the td->td_transferfunction table might not
> have the excepted size, that is it may not have the excepted number of
> samples per pixel (td->td_samplesperpixel). In this case for example,
> the table is only 3 rows large while td->td_samplesperpixel is 4. Then,
> the program segfaults when it comes to td->td_transferfunction[3][0].

The faulty test case is where the table is suppose to have three
entries, but only two entries are provided.

The defintion of td_transferfunction is:

typedef struct {
    ...
    uint16* td_transferfunction[3];
    ...
} TIFFDirectory;

My assumption was that the list would be NULL terminated. In practise it
is NULL terminated (might be accidental due to newly allocated memory
being initialized to 0), but I should double check this.

However, as this table is only 3 entries long (huh? Is that hardcoded
value really safe here?), so it cannot be null terminated for the case
where there are three tables. However, it still could be null terminated
for less then three entries.

I am out of time for this month, and can't see where td_transferfunction
is read at quick glance. I will resume this next month, unless somebody
has taken over.
-- 
Brian May <bam@debian.org>
Reply to: