From 31b5f17f793dea355b6450613bc2d9960ab9d8d8 Mon Sep 17 00:00:00 2001 From: Lucas CHOLLET Date: Wed, 27 Dec 2023 21:42:52 -0500 Subject: [PATCH] LibGfx/TIFF: Reject images with invalid StripByteCounts or StripOffsets These two arrays should have the exact same size, files not respecting this condition should be considered as invalid. --- Userland/Libraries/LibGfx/ImageFormats/TIFFLoader.cpp | 3 +++ 1 file changed, 3 insertions(+) diff --git a/Userland/Libraries/LibGfx/ImageFormats/TIFFLoader.cpp b/Userland/Libraries/LibGfx/ImageFormats/TIFFLoader.cpp index 8f7ffc85fe..432133896b 100644 --- a/Userland/Libraries/LibGfx/ImageFormats/TIFFLoader.cpp +++ b/Userland/Libraries/LibGfx/ImageFormats/TIFFLoader.cpp @@ -195,6 +195,9 @@ private: auto const strips_offset = *m_metadata.strip_offsets(); auto const strip_byte_counts = *m_metadata.strip_byte_counts(); + if (strips_offset.size() != strip_byte_counts.size()) + return Error::from_string_literal("TIFFImageDecoderPlugin: StripsOffset and StripByteCount have different sizes, aborting..."); + for (u32 strip_index = 0; strip_index < strips_offset.size(); ++strip_index) { TRY(m_stream->seek(strips_offset[strip_index]));