2017.08.02 15:00 "[Tiff] Error handling in Read/Write/Seek", by Nicolas RUFF

2017.08.04 15:27 "Re: [Tiff] Error handling in Read/Write/Seek", by Even Rouault

On jeudi 3 août 2017 17:04:55 CEST Nicolas RUFF wrote:

It seems best to block any negative size values from being passed into these functions in the first place. Libtiff is not in control of the I/O functions, so it is best to assure that they are not passed illegal values which might cause I/O implementations to do very bad things.

Not sure to understand what you mean here. Here are all call locations for SeekOK():

tif_dir.c: 2 times
tif_read.c: 4 times
tif_write.c: 1 time
tif_dirread.c: 3 times
tif_dirwrite.c: 9 times

Do you suggest to add an extra check for (off<0) before each call? If yes, I can prepare a patch.

Before patching *all* those calls, I'd start with just the one (or the few ones) that are needed with your fuzzed file (blindly guessing that the issue is localized and not general...)

Opening a ticket in http://bugzilla.maptools.org/enter_bug.cgi with the reproducer file and your proposed patch would be good.

Even

--
Spatialys - Geospatial professional services
http://www.spatialys.com