From 867ca61755584921eea2882b6b6ebac3bd42e8bf Mon Sep 17 00:00:00 2001
From: Harald Kuhr <harald.kuhr@gmail.com>
Date: Wed, 26 Aug 2015 11:16:35 +0200
Subject: [PATCH] TMI #172: Fix IIOBE/Buffer overflow issue.

---
 .../imageio/plugins/tiff/TIFFImageReader.java    |   2 +-
 .../plugins/tiff/TIFFImageReaderTest.java        |   1 +
 .../test/resources/tiff/lzw-buffer-overflow.tif  | Bin 0 -> 1986 bytes
 3 files changed, 2 insertions(+), 1 deletion(-)
 create mode 100644 imageio/imageio-tiff/src/test/resources/tiff/lzw-buffer-overflow.tif

diff --git a/imageio/imageio-tiff/src/main/java/com/twelvemonkeys/imageio/plugins/tiff/TIFFImageReader.java b/imageio/imageio-tiff/src/main/java/com/twelvemonkeys/imageio/plugins/tiff/TIFFImageReader.java
index b52d977b..c77fe49d 100755
--- a/imageio/imageio-tiff/src/main/java/com/twelvemonkeys/imageio/plugins/tiff/TIFFImageReader.java
+++ b/imageio/imageio-tiff/src/main/java/com/twelvemonkeys/imageio/plugins/tiff/TIFFImageReader.java
@@ -1497,7 +1497,7 @@ public class TIFFImageReader extends ImageReaderBase {
             case TIFFBaseline.COMPRESSION_PACKBITS:
                 return new DecoderStream(stream, new PackBitsDecoder(), 1024);
             case TIFFExtension.COMPRESSION_LZW:
-                return new DecoderStream(stream, LZWDecoder.create(LZWDecoder.isOldBitReversedStream(stream)), width * bands);
+                return new DecoderStream(stream, LZWDecoder.create(LZWDecoder.isOldBitReversedStream(stream)), Math.max(width * bands, 1024));
             case TIFFExtension.COMPRESSION_ZLIB:
                 // TIFFphotoshop.pdf (aka TIFF specification, supplement 2) says ZLIB (8) and DEFLATE (32946) algorithms are identical
             case TIFFExtension.COMPRESSION_DEFLATE:
diff --git a/imageio/imageio-tiff/src/test/java/com/twelvemonkeys/imageio/plugins/tiff/TIFFImageReaderTest.java b/imageio/imageio-tiff/src/test/java/com/twelvemonkeys/imageio/plugins/tiff/TIFFImageReaderTest.java
index a6cd4b47..6d00c633 100644
--- a/imageio/imageio-tiff/src/test/java/com/twelvemonkeys/imageio/plugins/tiff/TIFFImageReaderTest.java
+++ b/imageio/imageio-tiff/src/test/java/com/twelvemonkeys/imageio/plugins/tiff/TIFFImageReaderTest.java
@@ -87,6 +87,7 @@ public class TIFFImageReaderTest extends ImageReaderAbstractTest<TIFFImageReader
                 new TestData(getClassLoaderResource("/tiff/general-cmm-error.tif"), new Dimension(1181, 860)), // RGB, LZW compression with broken/incompatible ICC profile
                 new TestData(getClassLoaderResource("/tiff/lzw-rgba-padded-icc.tif"), new Dimension(19, 11)), // RGBA, LZW compression with padded ICC profile
                 new TestData(getClassLoaderResource("/tiff/lzw-rgba-4444.tif"), new Dimension(64, 64)), // RGBA, LZW compression with UINT 4/4/4/4 + gray 2/2
+                new TestData(getClassLoaderResource("/tiff/lzw-buffer-overflow.tif"), new Dimension(5, 49)), // RGBA, LZW compression, will throw IOOBE if small buffer
                 // CCITT
                 new TestData(getClassLoaderResource("/tiff/ccitt/group3_1d.tif"), new Dimension(6, 4)), // B/W, CCITT T4 1D
                 new TestData(getClassLoaderResource("/tiff/ccitt/group3_1d_fill.tif"), new Dimension(6, 4)), // B/W, CCITT T4 1D
diff --git a/imageio/imageio-tiff/src/test/resources/tiff/lzw-buffer-overflow.tif b/imageio/imageio-tiff/src/test/resources/tiff/lzw-buffer-overflow.tif
new file mode 100644
index 0000000000000000000000000000000000000000..d9b08dc37452687219ef2e682f78f6acd4494d02
GIT binary patch
literal 1986
zcma)+Uu+ar6vodC(^g5VDJ)B^(A-3=ttp$?wlQrHWVfYtX?NXhTMI~Hc4ue1W2ZCY
z%(e*W1Cp2qje@9&5);FpkYET;#_(VWFUSKyRH*tuOo;k`#>9k#7lZ3}XJ&UM1QT|5
zW`1+dcg{WM%<N64={X`Y4iL)@JRNNj`x3XZNh!9mWjT4GwXHwX-Tdw)Mc(<PvH6L^
zmwt<<HjIux{@ypw$lWi*US0F?l}`5PQpa5TCs%*{aPY<#Gh5#Ju5<F!-=l}dKL7qq
z|Dp71ZO7>wPpx!I->&WZ=;Aht2t=!}o<I#a2|mZcqRSGfD69%;8hsYwX(jj(OZ14a
z#<$~6Sm!g3j{3}VuCMD$LOWlP#|paeWSuL*hESd^pZQvG!kIciOG2;95%4i#OGuLo
z#ZJ1+D>%38P!myOGx#gyK(*fYB_J=pc1;w`g37XGvtl}B(_+Ju{VbhVG=tw$uPhG^
z#pC#~`13>k14F$7Jly*td)~5ikrB-s6+1VUWIK25W=%h!vlhb2M0v%r64~s8%h2*`
z?Zc}ey8EMB4qe~GbJctgd2O+=APQp8M`k_l=UniZHyPPmu`1B);jEPNMX&|#v8Qsw
z;LpI1&4#!T;-cy(L=8*Oysua`@-&Qq2NsoCp7ShNHj0`7zRB%HN0}!QBY44Ld={|b
zQyC}Px)HW3fo-=#boMmS`p&@C)kd^#hUk1>V7rrZ=OaX~Ii<c{H=WR&L><3Wt9Lqy
znvN3P`=DC==R~!7?<Ceh9T#<F!CrK=C``CY<kjm%BY&<&|HocWt_lzQIOaIBnrQrO
zqGPv+o;^pj7H?Iyg=lJ!!~<yAJLdHT%**|>;@qqn)04RJfA>w*+3vH@Sj>-LCWL+j
zxu}k82g~3>NgGXpd%#Ca_UN?F7qm)h%I7}}Ju~647&Qu+m%+#{Cap@6_XQRjoyAF>
z)3v{z-;o95UnJ^t<~Y~1gWuU-p2DnMKDEC*obmaBy^!PUVz%PXmhQg0s7?Hr(v+Yv
zQpvz!lST?L%E6MvH4BSLC0KQMxiagjJWHVS;&1!$=6yL;MAx*NsDKO(&AHk|u#P(~
zcLJ=_EbiuUXl_MLC^B3PuVok1HJuUCS@o)U-I`x_&<R6#w~^he_YGP=7GB>g=-KNr
z(3<tUJSsdTuS;HYtzzyC`V6YzJ>EZMK7j{mU1f$2_SC&h{z?8zUXhQ>r{q6*p36&L
zw*}r6>HMDS&6k(B=ScfPSKv8lzoseI4*$(PCF4kY;NezvIdhkLqz)-ArKACAkeKwM
zv`yM7jo@yxG*Q<>Mbqd_qrI4bjpvm|M+WVKBIq)B##B+?#6ChaY+CzlZMIxte8*)8
zY=tUI8A_~&<#nC8E{EBwquPsVF-G3L#3QLMofuOM)z%bjz**ZYX$b8q<Q=uhOoRD8
V#&>7m+wI1Ar^o}ML+*#g{{WhVUf=)#

literal 0
HcmV?d00001