Merge branch 'fix_ossfuzz_471328917' into 'master'

_TIFFGetStrileOffsetOrByteCountValue(): fix potential crash on corrupted files... See merge request libtiff/libtiff!799
2026-01-18 21:51:18 +01:00 · 2025-12-24 14:27:11 +00:00
parent b6995387ca 9b97b2acfa
commit 61c30c146c
1 changed files with 14 additions and 0 deletions
--- a/libtiff/tif_dirread.c
+++ b/libtiff/tif_dirread.c
@@ -8344,6 +8344,20 @@ static uint64_t _TIFFGetStrileOffsetOrByteCountValue(TIFF *tif, uint32_t strile,
    TIFFDirectory *td = &tif->tif_dir;
    if (pbErr)
        *pbErr = 0;
+
+    /* Check that StripOffsets and StripByteCounts tags have the same number
+     * of declared entries. Otherwise we might take the "dirent->tdir_count <=
+     * 4" code path for one of them, and the other code path for the other one,
+     * which will lead to inconsistencies and potential out-of-bounds reads.
+     */
+    if (td->td_stripoffset_entry.tdir_count !=
+        td->td_stripbytecount_entry.tdir_count)
+    {
+        if (pbErr)
+            *pbErr = 1;
+        return 0;
+    }
+
    if ((tif->tif_flags & TIFF_DEFERSTRILELOAD) &&
        !(tif->tif_flags & TIFF_CHOPPEDUPARRAYS))
    {