1 diff --git a/third_party/libtiff/tif_pixarlog.c b/third_party/libtiff/tif_pixarlog.c 2 index b93b4c7..0674fa4 100644 3 --- a/third_party/libtiff/tif_pixarlog.c 4 +++ b/third_party/libtiff/tif_pixarlog.c 5 @@ -457,6 +457,7 @@ horizontalAccumulate8abgr(uint16 *wp, int n, int stride, unsigned char *op, 6 typedef struct { 7 TIFFPredictorState predict; 8 z_stream stream; 9 + tmsize_t tbuf_size; /* only set/used on reading for now */ 10 uint16 *tbuf; 11 uint16 stride; 12 int state; 13 @@ -692,6 +693,7 @@ PixarLogSetupDecode(TIFF* tif) 14 sp->tbuf = (uint16 *) _TIFFmalloc(tbuf_size); 15 if (sp->tbuf == NULL) 16 return (0); 17 + sp->tbuf_size = tbuf_size; 18 if (sp->user_datafmt == PIXARLOGDATAFMT_UNKNOWN) 19 sp->user_datafmt = PixarLogGuessDataFmt(td); 20 if (sp->user_datafmt == PIXARLOGDATAFMT_UNKNOWN) { 21 @@ -781,6 +783,12 @@ PixarLogDecode(TIFF* tif, uint8* op, tmsize_t occ, uint16 s) 22 TIFFErrorExt(tif->tif_clientdata, module, "ZLib cannot deal with buffers this size"); 23 return (0); 24 } 25 + /* Check that we will not fill more than what was allocated */ 26 + if ((tmsize_t)sp->stream.avail_out > sp->tbuf_size) 27 + { 28 + TIFFErrorExt(tif->tif_clientdata, module, "sp->stream.avail_out > sp->tbuf_size"); 29 + return (0); 30 + } 31 do { 32 int state = inflate(&sp->stream, Z_PARTIAL_FLUSH); 33 if (state == Z_STREAM_END) { 34
