Skip to content

Commit

Permalink
tiff: reject IFDs whose data is longer than int.
Browse files Browse the repository at this point in the history
Fixes golang/go#10596

Change-Id: Ib5035569e84c67868c7f278281620f6c9b11b470
Reviewed-on: https://go-review.googlesource.com/9378
Reviewed-by: Nigel Tao <[email protected]>
  • Loading branch information
yi-ge3 committed Feb 20, 2022
1 parent b947b70 commit 594b352
Show file tree
Hide file tree
Showing 2 changed files with 23 additions and 0 deletions.
4 changes: 4 additions & 0 deletions tiff/reader.go
Original file line number Diff line number Diff line change
Expand Up @@ -15,6 +15,7 @@ import (
"image/color"
"io"
"io/ioutil"
"math"

"golang.org/x/image/tiff/lzw"
)
Expand Down Expand Up @@ -72,6 +73,9 @@ func (d *decoder) ifdUint(p []byte) (u []uint, err error) {
var raw []byte
datatype := d.byteOrder.Uint16(p[2:4])
count := d.byteOrder.Uint32(p[4:8])
if count > math.MaxInt32/lengths[datatype] {
return nil, FormatError("IFD data too large")
}
if datalen := lengths[datatype] * count; datalen > 4 {
// The IFD contains a pointer to the real value.
raw = make([]byte, datalen)
Expand Down
19 changes: 19 additions & 0 deletions tiff/reader_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -214,6 +214,25 @@ func TestZeroSizedImages(t *testing.T) {
}
}

// TestLargeIFDEntry verifies that a large IFD entry does not cause Decode
// to panic.
// Issue 10596.
func TestLargeIFDEntry(t *testing.T) {
testdata := "II*\x00\x08\x00\x00\x00\f\x000000000000" +
"00000000000000000000" +
"00000000000000000000" +
"00000000000000000000" +
"00000000000000\x17\x01\x04\x00\x01\x00" +
"\x00\xc0000000000000000000" +
"00000000000000000000" +
"00000000000000000000" +
"000000"
_, err := Decode(strings.NewReader(testdata))
if err == nil {
t.Fatal("Decode with large IFD entry: got nil error, want non-nil")
}
}

// benchmarkDecode benchmarks the decoding of an image.
func benchmarkDecode(b *testing.B, filename string) {
b.StopTimer()
Expand Down

0 comments on commit 594b352

Please sign in to comment.