You need to log in before you can comment on or make changes to this bug.
There are two out-of-bounds write in cpTags in tiff2bw and pal2rgb. 448 static void 449 cpTags(TIFF* in, TIFF* out) 450 { 451 struct cpTag *p; 452 for (p = tags; p < &tags[NTAGS]; p++) 453 cpTag(in, out, p->tag, p->count, p->type); 454 } (tools/tiff2bw.c) 400 static void 401 cpTags(TIFF* in, TIFF* out) 402 { 403 struct cpTag *p; 404 for (p = tags; p < &tags[NTAGS]; p++) 405 cpTag(in, out, p->tag, p->count, p->type); 406 } (tools/pal2rgb.c) The correct logic should be "only read/write TIFFTAG_GROUP3OPTIONS or TAG_GROUP4OPTIONS if compression is COMPRESSION_CCITTFAX3 or COMPRESSION_CCITTFAX4" Below is the proposal patch. cpTags(TIFF* in, TIFF* out) { struct cpTag *p; for (p = tags; p < &tags[NTAGS]; p++) - cpTag(in, out, p->tag, p->count, p->type); + { + if( p->tag == TIFFTAG_GROUP3OPTIONS ) + { + uint16 compression; + if( !TIFFGetField(in, TIFFTAG_COMPRESSION, &compression) || + compression != COMPRESSION_CCITTFAX3 ) + continue; + } + if( p->tag == TIFFTAG_GROUP4OPTIONS ) + { + uint16 compression; + if( !TIFFGetField(in, TIFFTAG_COMPRESSION, &compression) || + compression != COMPRESSION_CCITTFAX4 ) + continue; + } + cpTag(in, out, p->tag, p->count, p->type); + } }
This has been fixed : https://gitlab.com/libtiff/libtiff/commit/f1b94e8a3ba49febdd3361c0214a1d1149251577 was merge request https://gitlab.com/libtiff/libtiff/merge_requests/33
fixed