From a39d7c4fcf2f114c643112506a412cf195da0535 Mon Sep 17 00:00:00 2001 From: Eric Soroos Date: Sun, 27 Dec 2020 17:04:45 +0100 Subject: [PATCH] Fix OOB Read in tif_dirinfo.c ==3330== at 0xBD4110C: _TIFFSetupFields (tif_dirinfo.c:327) Passing in a stack allocated array is going to fail, as a reference is retained to the name and used later when flushing the Tiff to the file. --- src/libImaging/TiffDecode.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/src/libImaging/TiffDecode.c b/src/libImaging/TiffDecode.c index bdb524bec22..f33cbc6bd61 100644 --- a/src/libImaging/TiffDecode.c +++ b/src/libImaging/TiffDecode.c @@ -573,7 +573,6 @@ int ImagingLibTiffEncodeInit(ImagingCodecState state, char *filename, int fp) { int ImagingLibTiffMergeFieldInfo(ImagingCodecState state, TIFFDataType field_type, int key, int is_var_length){ // Refer to libtiff docs (http://www.simplesystems.org/libtiff/addingtags.html) TIFFSTATE *clientstate = (TIFFSTATE *)state->context; - char field_name[10]; uint32 n; int status = 0; @@ -586,7 +585,7 @@ int ImagingLibTiffMergeFieldInfo(ImagingCodecState state, TIFFDataType field_typ int passcount = 0; TIFFFieldInfo info[] = { - { key, readcount, writecount, field_type, FIELD_CUSTOM, 1, passcount, field_name } + { key, readcount, writecount, field_type, FIELD_CUSTOM, 1, passcount, "CustomField" } }; if (is_var_length) {