2018.12.08 22:03 "Re: [Tiff] Zlib inflate recovery action required?", by Toby Thain
On 2018-12-08 3:43 PM, Bob Friesenhahn wrote:
I have a TIFF pixar log compressed file for which zlib is reporting Z_DATA_ERROR from inflate() in tif_pixarlog.c line 816.
Is it the consensus of opinion that an attempt to recover from
> Z_DATA_ERROR is valuable? The alternative is to quit right away and
hopefully not plow into reading unitialized memory (considered to be a
> security problem rather than a virtue). Should libtiff try really hard
to read apparently corrupted files or can we safely assume that modern computers do not produce useful corrupted files?
Thanks in advance for any informed opinions.
Speaking only as the author of a PSD parser/scavenger (extensively fuzz tested) I think libtiff should make a reasonable effort to read the file, but the activity of trying to recover or scavenge data doesn't really belong in a general purpose library, especially if it increases attack surface or complexity. Most important imho is to ensure the error reporting chain is as reliable and comprehensive as possible.