-
2017.08.02 15:26 "Re: [Tiff] Error handling in Read/Write/Seek", by Bob Friesenhahn
-
2017.08.03 15:04 "Re: [Tiff] Error handling in Read/Write/Seek", by Nicolas RUFF
- 2017.08.03 15:23 "Re: [Tiff] Error handling in Read/Write/Seek", by Bob Friesenhahn
- 2017.08.04 15:27 "Re: [Tiff] Error handling in Read/Write/Seek", by Even Rouault
-
2017.08.03 15:04 "Re: [Tiff] Error handling in Read/Write/Seek", by Nicolas RUFF
2017.09.06 07:48 "Re: [Tiff] Error handling in Read/Write/Seek", by Nicolas RUFF
Sorry to resurrect this old thread, but I came up with a much simpler patch:
--- libtiff/tiffiop.h 2017-07-04 15:28:42.000000000 +0200
+++ libtiff/tiffiop.h 2017-09-05 13:38:02.305947462 +0200
@@ -239,7 +239,7 @@
#endif
#ifndef SeekOK
#define SeekOK(tif, off) \
- (TIFFSeekFile((tif),(off),SEEK_SET)==(off))
+ (((off_t)(off) >= 0) && TIFFSeekFile((tif),(off),SEEK_SET)==(off))
#endif
#ifndef WriteOK
#define WriteOK(tif, buf, size) \
The rationale behind is described in http://bugzilla.maptools.org/show_bug.cgi?id=2726#c4
Would you consider this patch for inclusion?
Thank you.
2017-08-07 17:53 GMT+02:00 Nicolas RUFF <nicolas.ruff@gmail.com>:
Thank you all. I filed http://bugzilla.maptools.org/show_bug.cgi?id=2726 as a follow-up. Let's continue this discussion on the bug.
2017-08-04 17:27 GMT+02:00 Even Rouault <even.rouault@spatialys.com>:
On jeudi 3 août 2017 17:04:55 CEST Nicolas RUFF wrote:
It seems best to block any negative size values from being passed into these functions in the first place. Libtiff is not in control of the I/O functions, so it is best to assure that they are not passed illegal values which might cause I/O implementations to do very bad things.
Not sure to understand what you mean here. Here are all call locations for SeekOK():
tif_dir.c: 2 times
tif_read.c: 4 times
tif_write.c: 1 time
tif_dirread.c: 3 times
tif_dirwrite.c: 9 timesDo you suggest to add an extra check for (off<0) before each call? If yes, I can prepare a patch.
Before patching *all* those calls, I'd start with just the one (or the
few ones) that are needed with your fuzzed file (blindly guessing that the issue is localized and not general...)
Opening a ticket in http://bugzilla.maptools.org/enter_bug.cgi with the reproducer file and your proposed patch would be good.