1*4882a593SmuzhiyunFrom 7b91458541769f3d7eddc55a39d01730af2489fc Mon Sep 17 00:00:00 2001 2*4882a593SmuzhiyunFrom: Even Rouault <even.rouault@spatialys.com> 3*4882a593SmuzhiyunDate: Sat, 5 Feb 2022 20:36:41 +0100 4*4882a593SmuzhiyunSubject: [PATCH] TIFFReadDirectory(): avoid calling memcpy() with a null 5*4882a593Smuzhiyun source pointer and size of zero (fixes #362) 6*4882a593Smuzhiyun 7*4882a593SmuzhiyunUpstream-Status: Backport 8*4882a593SmuzhiyunCVE: CVE-2022-0562 9*4882a593Smuzhiyun 10*4882a593Smuzhiyun--- 11*4882a593Smuzhiyun libtiff/tif_dirread.c | 3 ++- 12*4882a593Smuzhiyun 1 file changed, 2 insertions(+), 1 deletion(-) 13*4882a593Smuzhiyun 14*4882a593Smuzhiyundiff --git a/libtiff/tif_dirread.c b/libtiff/tif_dirread.c 15*4882a593Smuzhiyunindex d84147a..ae52ad4 100644 16*4882a593Smuzhiyun--- a/libtiff/tif_dirread.c 17*4882a593Smuzhiyun+++ b/libtiff/tif_dirread.c 18*4882a593Smuzhiyun@@ -4173,7 +4173,8 @@ TIFFReadDirectory(TIFF* tif) 19*4882a593Smuzhiyun goto bad; 20*4882a593Smuzhiyun } 21*4882a593Smuzhiyun 22*4882a593Smuzhiyun- memcpy(new_sampleinfo, tif->tif_dir.td_sampleinfo, old_extrasamples * sizeof(uint16_t)); 23*4882a593Smuzhiyun+ if (old_extrasamples > 0) 24*4882a593Smuzhiyun+ memcpy(new_sampleinfo, tif->tif_dir.td_sampleinfo, old_extrasamples * sizeof(uint16_t)); 25*4882a593Smuzhiyun _TIFFsetShortArray(&tif->tif_dir.td_sampleinfo, new_sampleinfo, tif->tif_dir.td_extrasamples); 26*4882a593Smuzhiyun _TIFFfree(new_sampleinfo); 27*4882a593Smuzhiyun } 28