system/serenity
system/serenity
1
0
Fork 0
mirror of https://github.com/SerenityOS/serenity synced 2024-09-06 17:06:31 +00:00
Code Issues Packages Projects Releases Wiki Activity

LibGfx/TIFF: Prevent recursion when following IFD pointers

Browse source 
Fixes oss-fuzz 66587.
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=66587&sort=-opened&q=proj%3Aserenity%20TIFF&can=1
This commit is contained in:
Lucas CHOLLET 2024-03-06 20:13:42 -05:00 committed by Andreas Kling
parent 2c86633c51
commit cb5f30ae98
1 changed files with 18 additions and 5 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

23
Userland/Libraries/LibGfx/ImageFormats/TIFFLoader.cpp
View file

@ -530,14 +530,24 @@ private:
VERIFY_NOT_REACHED();
}
ErrorOr<void> set_next_ifd(u32 ifd_offset)
{
if (ifd_offset != 0) {
if (ifd_offset < TRY(m_stream->tell()))
return Error::from_string_literal("TIFFImageDecoderPlugin: Can not accept an IFD pointing to previous data");
m_next_ifd = Optional<u32> { ifd_offset };
} else {
m_next_ifd = OptionalNone {};
}
return {};
}
ErrorOr<void> read_next_idf_offset()
{
auto const next_block_position = TRY(read_value<u32>());
TRY(set_next_ifd(next_block_position));
if (next_block_position != 0)
m_next_ifd = Optional<u32> { next_block_position };
else
m_next_ifd = OptionalNone {};
return {};
}
@ -684,7 +694,10 @@ private:
}()));
auto subifd_handler = [&](u32 ifd_offset) -> ErrorOr<void> {
m_next_ifd = ifd_offset;
if (auto result = set_next_ifd(ifd_offset); result.is_error()) {
dbgln("{}", result.error());
return {};
}
TRY(read_next_image_file_directory());
return {};
};