Fix for CVE-2021-25291

* Invalid tile boundaries lead to OOB Read in TiffDecode.c, in TiffReadRGBATile * Check the tile validity before attempting to read.
2025-01-26 17:24:31 +03:00 · 2021-01-23 11:36:50 +01:00 · 2021-01-23 11:36:50 +01:00 · cbdce6c5d0
commit cbdce6c5d0
parent 86f02f7c70
3 changed files with 10 additions and 0 deletions
--- a/Tests/images/crash-63b1dffefc8c075ddc606c0a2f5fdc15ece78863.tif
+++ b/Tests/images/crash-63b1dffefc8c075ddc606c0a2f5fdc15ece78863.tif
--- a/Tests/test_tiff_crashes.py
+++ b/Tests/test_tiff_crashes.py
@ -32,6 +32,7 @@ from .helper import on_ci
        "Tests/images/crash-4f085cc12ece8cde18758d42608bed6a2a2cfb1c.tif",
        "Tests/images/crash-86214e58da443d2b80820cff9677a38a33dcbbca.tif",
        "Tests/images/crash-f46f5b2f43c370fe65706c11449f567ecc345e74.tif",
+        "Tests/images/crash-63b1dffefc8c075ddc606c0a2f5fdc15ece78863.tif",
    ],
 )
@pytest.mark.filterwarnings("ignore:Possibly corrupt EXIF data")
--- a/src/libImaging/TiffDecode.c
+++ b/src/libImaging/TiffDecode.c
@ -562,6 +562,15 @@ ImagingLibTiffDecode(

        for (y = state->yoff; y < state->ysize; y += tile_length) {
            for (x = state->xoff; x < state->xsize; x += tile_width) {
+                /* Sanity Check. Apparently in some cases, the TiffReadRGBA* functions
+                   have a different view of the size of the tiff than we're getting from
+                   other functions. So, we need to check here. 
+                */
+                if (!TIFFCheckTile(tiff, x, y, 0, 0)) {
+                    TRACE(("Check Tile Error, Tile at %dx%d\n", x, y));
+                    state->errcode = IMAGING_CODEC_BROKEN;
+                    goto decode_err;
+                }
                if (isYCbCr) {
                    /* To avoid dealing with YCbCr subsampling, let libtiff handle it */
                    if (!TIFFReadRGBATile(tiff, x, y, (UINT32 *)state->buffer)) {