AWARE SYSTEMS
TIFF and LibTiff Mail List Archive

Thread

2017.08.02 15:00 "[Tiff] Error handling in Read/Write/Seek", by Nicolas RUFF
2017.08.02 15:26 "Re: [Tiff] Error handling in Read/Write/Seek", by Bob Friesenhahn
2017.08.03 15:04 "Re: [Tiff] Error handling in Read/Write/Seek", by Nicolas RUFF
2017.08.03 15:23 "Re: [Tiff] Error handling in Read/Write/Seek", by Bob Friesenhahn
2017.08.04 15:27 "Re: [Tiff] Error handling in Read/Write/Seek", by Even Rouault
2017.08.07 15:53 "Re: [Tiff] Error handling in Read/Write/Seek", by Nicolas RUFF
2017.09.06 07:48 "Re: [Tiff] Error handling in Read/Write/Seek", by Nicolas RUFF
2017.09.06 10:32 "Re: [Tiff] Error handling in Read/Write/Seek", by Even Rouault
2017.09.06 13:16 "Re: [Tiff] Error handling in Read/Write/Seek", by Nicolas RUFF
2017.09.07 14:06 "Re: [Tiff] Error handling in Read/Write/Seek", by Even Rouault
2017.09.08 07:50 "Re: [Tiff] Error handling in Read/Write/Seek", by Nicolas RUFF

2017.09.08 07:50 "Re: [Tiff] Error handling in Read/Write/Seek", by Nicolas RUFF

Awesome, thank you!

I'll resume fuzzing and keep you posted.

2017-09-07 16:06 GMT+02:00 Even Rouault <even.rouault@spatialys.com>:

So the proper patch should be:

- (TIFFSeekFile((tif),(off),SEEK_SET)==(off)) + (((int64)(off) >= 0) && TIFFSeekFile((tif),(off),SEEK_SET)==(off))

I've applied a variation of your proposal, which avoids some compiler warning when off is of type uint32 (then a cast to int64 always result in a >= 0 value), which avoids undefined behaviour when casting a too large uint64 to int64 and which avoids the (existing) issue if off where the result of a function with a side effect.

Index: libtiff/tif_aux.c
===================================================================
RCS file: /cvs/maptools/cvsroot/libtiff/libtiff/tif_aux.c,v
retrieving revision 1.29
diff -u -r1.29 tif_aux.c

--- libtiff/tif_aux.c   11 Nov 2016 20:45:53 -0000      1.29
+++ libtiff/tif_aux.c   7 Sep 2017 14:00:39 -0000

@@ -359,6 +359,13 @@
        }
 }

+int _TIFFSeekOK(TIFF* tif, toff_t off)
+{

+    /* Huge offsets, expecially -1 / UINT64_MAX, can cause issues */
+    /* See http://bugzilla.maptools.org/show_bug.cgi?id=2726 */
+    return off <= (~(uint64)0)/2 && TIFFSeekFile(tif,off,SEEK_SET)==off;

+}
+
 /* vim: set ts=8 sts=8 sw=8 noet: */
 /*
  * Local Variables:
Index: libtiff/tiffiop.h
===================================================================
RCS file: /cvs/maptools/cvsroot/libtiff/libtiff/tiffiop.h,v
retrieving revision 1.94
diff -u -r1.94 tiffiop.h

--- libtiff/tiffiop.h   4 Jul 2017 13:28:42 -0000       1.94
+++ libtiff/tiffiop.h   7 Sep 2017 14:00:39 -0000

@@ -238,8 +238,7 @@
        (TIFFReadFile((tif),(buf),(size))==(size))
 #endif
 #ifndef SeekOK
-#define SeekOK(tif, off) \
- (TIFFSeekFile((tif),(off),SEEK_SET)==(off))
+#define SeekOK(tif, off) _TIFFSeekOK(tif, off)
 #endif
 #ifndef WriteOK
 #define WriteOK(tif, buf, size) \
@@ -384,6 +383,7 @@
 _TIFFReadTileAndAllocBuffer(TIFF* tif,
                             void **buf, tmsize_t bufsizetoalloc,
                             uint32 x, uint32 y, uint32 z, uint16 s);
+extern int _TIFFSeekOK(TIFF* tif, toff_t off);

 extern int TIFFInitDumpMode(TIFF*, int);
 #ifdef PACKBITS_SUPPORT