Source: tiff Version: 4.0.3-12.3 Severity: normal Tags: security upstream Forwarded: http://bugzilla.maptools.org/show_bug.cgi?id=2619
Hi This was forwarded to upstream to http://bugzilla.maptools.org/show_bug.cgi?id=2619 . From a quick look at the code: 4756 static int readSeparateStripsIntoBuffer (TIFF *in, uint8 *obuf, uint32 length, 4757 uint32 width, uint16 spp, 4758 struct dump_opts *dump) 4759 { [...] 4766 uint32 src_rowsize, dst_rowsize, rows_processed, rps; [...] 4796 src_rowsize = ((bps * width) + 7) / 8; [...] 4833 rows_processed = 0; 4834 for (j = 0; (j < strips_per_sample) && (result == 1); j++) 4835 { 4836 for (s = 0; (s < spp) && (s < MAX_SAMPLES); s++) 4837 { 4838 buff = srcbuffs[s]; 4839 strip = (s * strips_per_sample) + j; 4840 bytes_read = TIFFReadEncodedStrip (in, strip, buff, stripsize); 4841 rows_this_strip = bytes_read / src_rowsize; would lead to a division-by-zero in tiffcrop if bps would be zero. I have not reasearched when this could happen. Regards, Salvatore _______________________________________________ Secure-testing-team mailing list [email protected] http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-team
