diff options
author | Thomas Bernard <miniupnp@free.fr> | 2020-11-18 01:47:11 +0100 |
---|---|---|
committer | Thomas Bernard <miniupnp@free.fr> | 2020-11-18 01:47:11 +0100 |
commit | 916c1a4f8b0a4d6f4136d0b2edc2b14bd2c711a9 (patch) | |
tree | b42674e3fd5fd4578286b48532e9b771063610d8 | |
parent | dadd8c7dceafbeddcf47bc04fac354bb7d8a3615 (diff) | |
download | libtiff-git-916c1a4f8b0a4d6f4136d0b2edc2b14bd2c711a9.tar.gz |
tiffcrop: fix buffer overrun in extractContigSamples24bits()
fixes #113
-rw-r--r-- | tools/tiffcrop.c | 20 |
1 files changed, 18 insertions, 2 deletions
diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c index 64a73a7a..d20b585a 100644 --- a/tools/tiffcrop.c +++ b/tools/tiffcrop.c @@ -3035,9 +3035,25 @@ extractContigSamples24bits (uint8 *in, uint8 *out, uint32 cols, src = in + src_byte; matchbits = maskbits << (32 - src_bit - bps); if (little_endian) - buff1 = (src[0] << 24) | (src[1] << 16) | (src[2] << 8) | src[3]; + { + buff1 = (src[0] << 24); + if (matchbits & 0x00ff0000) + buff1 |= (src[1] << 16); + if (matchbits & 0x0000ff00) + buff1 |= (src[2] << 8); + if (matchbits & 0x000000ff) + buff1 |= src[3]; + } else - buff1 = (src[3] << 24) | (src[2] << 16) | (src[1] << 8) | src[0]; + { + buff1 = src[0]; + if (matchbits & 0x0000ff00) + buff1 |= (src[1] << 8); + if (matchbits & 0x00ff0000) + buff1 |= (src[2] << 16); + if (matchbits & 0xff000000) + buff1 |= (src[3] << 24); + } buff1 = (buff1 & matchbits) << (src_bit); if (ready_bits < 16) /* add another bps bits to the buffer */ |