Skip to content

Commit

Permalink
image/tiff: fix a panic with invalid tile sizes
Browse files Browse the repository at this point in the history
Fuzzing detected that an invalid tile size could cause a
panic. Fix a typo in the range check to solve it.

Fixes golang/go#10712.

Change-Id: I88a5a7884d98f622cc89ed6e394becebb07c6e60
Reviewed-on: https://go-review.googlesource.com/11020
Reviewed-by: Nigel Tao <[email protected]>
  • Loading branch information
balloontmz6 committed Feb 17, 2022
1 parent 285256c commit f495b40
Show file tree
Hide file tree
Showing 2 changed files with 40 additions and 1 deletion.
2 changes: 1 addition & 1 deletion tiff/reader.go
Original file line number Diff line number Diff line change
Expand Up @@ -321,7 +321,7 @@ func (d *decoder) decode(dst image.Image, xmin, ymin, xmax, ymax int) error {
max := img.PixOffset(rMaxX, y)
off := (y - ymin) * (xmax - xmin) * 3
for i := min; i < max; i += 4 {
if d.off+3 > len(d.buf) {
if off+3 > len(d.buf) {
return FormatError("not enough pixel data")
}
img.Pix[i+0] = d.buf[off+0]
Expand Down
39 changes: 39 additions & 0 deletions tiff/reader_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -211,6 +211,45 @@ func TestDecompress(t *testing.T) {
}
}

// TestTileTooBig checks that we do not panic when a tile is too big compared
// to the data available.
// Issue 10712
func TestTileTooBig(t *testing.T) {
contents, err := ioutil.ReadFile(testdataDir + "video-001-tile-64x64.tiff")
if err != nil {
t.Fatal(err)
}

// Mutate the loaded image to have the problem.
//
// 0x42 01: tag number (tTileWidth)
// 03 00: data type (short, or uint16)
// 01 00 00 00: count
// xx 00 00 00: value (0x40 -> 0x44: a wider tile consumes more data
// than is available)
find := []byte{0x42, 0x01, 3, 0, 1, 0, 0, 0, 0x40, 0, 0, 0}
repl := []byte{0x42, 0x01, 3, 0, 1, 0, 0, 0, 0x44, 0, 0, 0}
contents = bytes.Replace(contents, find, repl, 1)

// Turn off the predictor, which makes it possible to hit the
// place with the defect. Without this patch to the image, we run
// out of data too early, and do not hit the part of the code where
// the original panic was.
//
// 42 01: tag number (tPredictor)
// 03 00: data type (short, or uint16)
// 01 00 00 00: count
// xx 00 00 00: value (2 -> 1: 2 = horizontal, 1 = none)
find = []byte{0x3d, 0x01, 3, 0, 1, 0, 0, 0, 2, 0, 0, 0}
repl = []byte{0x3d, 0x01, 3, 0, 1, 0, 0, 0, 1, 0, 0, 0}
contents = bytes.Replace(contents, find, repl, 1)

_, err = Decode(bytes.NewReader(contents))
if err == nil {
t.Fatal("did not expect nil error")
}
}

// Do not panic when image dimensions are zero, return zero-sized
// image instead.
// Issue 10393.
Expand Down

0 comments on commit f495b40

Please sign in to comment.