AWARE [SYSTEMS] Imaging expertise for the Delphi developer
AWare Systems, Imaging expertise for the Delphi developer, Home TIFF and LibTiff Mailing List Archive

LibTiff Mailing List

TIFF and LibTiff Mailing List Archive
August 2017

Previous Thread
Next Thread

Previous by Thread
Next by Thread

Previous by Date
Next by Date

Contact

The TIFF Mailing List Homepage
This list is run by Frank Warmerdam
Archive maintained by AWare Systems



Valid HTML 4.01!



Thread

2017.08.02 15:00 "Error handling in Read/Write/Seek", by Nicolas Ruff
2017.08.02 15:26 "Re: Error handling in Read/Write/Seek", by Bob Friesenhahn
2017.08.03 15:04 "Re: Error handling in Read/Write/Seek", by Nicolas Ruff
2017.08.03 15:23 "Re: Error handling in Read/Write/Seek", by Bob Friesenhahn
2017.08.04 15:27 "Re: Error handling in Read/Write/Seek", by Even Rouault
2017.08.07 15:53 "Re: Error handling in Read/Write/Seek", by Nicolas Ruff
2017.09.06 07:48 "Re: Error handling in Read/Write/Seek", by Nicolas Ruff
2017.09.06 10:32 "Re: Error handling in Read/Write/Seek", by Even Rouault
2017.09.06 13:16 "Re: Error handling in Read/Write/Seek", by Nicolas Ruff
2017.09.07 14:06 "Re: Error handling in Read/Write/Seek", by Even Rouault
2017.09.08 07:50 "Re: Error handling in Read/Write/Seek", by Nicolas Ruff

2017.09.06 07:48 "Re: Error handling in Read/Write/Seek", by Nicolas Ruff

Sorry to resurrect this old thread, but I came up with a much simpler patch:

--- libtiff/tiffiop.h    2017-07-04 15:28:42.000000000 +0200
+++ libtiff/tiffiop.h    2017-09-05 13:38:02.305947462 +0200
@@ -239,7 +239,7 @@
 #endif
 #ifndef SeekOK
 #define SeekOK(tif, off) \
-    (TIFFSeekFile((tif),(off),SEEK_SET)==(off))
+    (((off_t)(off) >= 0) && TIFFSeekFile((tif),(off),SEEK_SET)==(off))
 #endif
 #ifndef WriteOK
 #define WriteOK(tif, buf, size) \

The rationale behind is described in
http://bugzilla.maptools.org/show_bug.cgi?id=2726#c4

Would you consider this patch for inclusion?

Thank you.

2017-08-07 17:53 GMT+02:00 Nicolas RUFF <nicolas.ruff@gmail.com>:

> Thank you all. I filed http://bugzilla.maptools.org/show_bug.cgi?id=2726
> as a follow-up. Let's continue this discussion on the bug.
>
> Regards,
> - Nicolas RUFF
>
> 2017-08-04 17:27 GMT+02:00 Even Rouault <even.rouault@spatialys.com>:
>
>> On jeudi 3 août 2017 17:04:55 CEST Nicolas RUFF wrote:
>>
>> > > It seems best to block any negative size values from being passed into
>>
>> > > these functions in the first place. Libtiff is not in control of the
>> I/O
>>
>> > > functions, so it is best to assure that they are not passed illegal
>>
>> > > values which might cause I/O implementations to do very bad things.
>>
>> >
>>
>> > Not sure to understand what you mean here. Here are all call locations
>>
>> > for SeekOK():
>>
>> > tif_dir.c : 2 times
>>
>> > tif_read.c : 4 times
>>
>> > tif_write.c : 1 time
>>
>> > tif_dirread.c : 3 times
>>
>> > tif_dirwrite.c : 9 times
>>
>> >
>>
>> > Do you suggest to add an extra check for (off<0) before each call? If
>>
>> > yes, I can prepare a patch.
>>
>>
>>
>> Before patching *all* those calls, I'd start with just the one (or the
>> few ones) that are needed with your fuzzed file (blindly guessing that the
>> issue is localized and not general...)
>>
>>
>>
>> Opening a ticket in http://bugzilla.maptools.org/enter_bug.cgi with the
>> reproducer file and your proposed patch would be good.
>>
>>
>>
>> Even
>>
>>
>>
>> --
>>
>> Spatialys - Geospatial professional services
>>
>> http://www.spatialys.com
>>
>
>