1*4882a593SmuzhiyunFrom 895867b72bd6c46da79de1a07d0993cd104e92cd Mon Sep 17 00:00:00 2001 2*4882a593SmuzhiyunFrom: Even Rouault <even.rouault@spatialys.com> 3*4882a593SmuzhiyunDate: Sun, 6 Feb 2022 13:08:38 +0100 4*4882a593SmuzhiyunSubject: [PATCH] TIFFFetchStripThing(): avoid calling memcpy() with a null 5*4882a593Smuzhiyun source pointer and size of zero (fixes #362) 6*4882a593Smuzhiyun 7*4882a593SmuzhiyunUpstream-Status: Backport 8*4882a593SmuzhiyunCVE: CVE-2022-0561 9*4882a593Smuzhiyun 10*4882a593Smuzhiyun--- 11*4882a593Smuzhiyun libtiff/tif_dirread.c | 5 +++-- 12*4882a593Smuzhiyun 1 file changed, 3 insertions(+), 2 deletions(-) 13*4882a593Smuzhiyun 14*4882a593Smuzhiyundiff --git a/libtiff/tif_dirread.c b/libtiff/tif_dirread.c 15*4882a593Smuzhiyunindex ae52ad4..d654a1c 100644 16*4882a593Smuzhiyun--- a/libtiff/tif_dirread.c 17*4882a593Smuzhiyun+++ b/libtiff/tif_dirread.c 18*4882a593Smuzhiyun@@ -5766,8 +5766,9 @@ TIFFFetchStripThing(TIFF* tif, TIFFDirEntry* dir, uint32_t nstrips, uint64_t** l 19*4882a593Smuzhiyun _TIFFfree(data); 20*4882a593Smuzhiyun return(0); 21*4882a593Smuzhiyun } 22*4882a593Smuzhiyun- _TIFFmemcpy(resizeddata,data, (uint32_t)dir->tdir_count * sizeof(uint64_t)); 23*4882a593Smuzhiyun- _TIFFmemset(resizeddata+(uint32_t)dir->tdir_count, 0, (nstrips - (uint32_t)dir->tdir_count) * sizeof(uint64_t)); 24*4882a593Smuzhiyun+ if( dir->tdir_count ) 25*4882a593Smuzhiyun+ _TIFFmemcpy(resizeddata,data, (uint32_t)dir->tdir_count * sizeof(uint64_t)); 26*4882a593Smuzhiyun+ _TIFFmemset(resizeddata+(uint32_t)dir->tdir_count, 0, (nstrips - (uint32_t)dir->tdir_count) * sizeof(uint64_t)); 27*4882a593Smuzhiyun _TIFFfree(data); 28*4882a593Smuzhiyun data=resizeddata; 29*4882a593Smuzhiyun } 30