tiffcrop: fix buffer overrun in extractContigSamples24bits()

fixes #113
author: Thomas Bernard <miniupnp@free.fr> 2020-11-18 01:47:11 +0100
committer: Thomas Bernard <miniupnp@free.fr> 2020-11-18 01:47:11 +0100
commit: 916c1a4f8b0a4d6f4136d0b2edc2b14bd2c711a9 (patch)
tree: b42674e3fd5fd4578286b48532e9b771063610d8
parent: dadd8c7dceafbeddcf47bc04fac354bb7d8a3615 (diff)
download: libtiff-git-916c1a4f8b0a4d6f4136d0b2edc2b14bd2c711a9.tar.gz
1 files changed, 18 insertions, 2 deletions
diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c
index 64a73a7a..d20b585a 100644
--- a/tools/tiffcrop.c
+++ b/tools/tiffcrop.c
@@ -3035,9 +3035,25 @@ extractContigSamples24bits (uint8 *in, uint8 *out, uint32 cols,
       src = in + src_byte;
       matchbits = maskbits << (32 - src_bit - bps); 
       if (little_endian)
-	buff1 = (src[0] << 24) | (src[1] << 16) | (src[2] << 8) | src[3];
+        {
+        buff1 = (src[0] << 24);
+        if (matchbits & 0x00ff0000)
+          buff1 |= (src[1] << 16);
+        if (matchbits & 0x0000ff00)
+          buff1 |= (src[2] << 8);
+        if (matchbits & 0x000000ff)
+          buff1 |= src[3];
+        }
       else
-	buff1 = (src[3] << 24) | (src[2] << 16) | (src[1] << 8) | src[0];
+        {
+        buff1 = src[0];
+        if (matchbits & 0x0000ff00)
+          buff1 |= (src[1] << 8);
+        if (matchbits & 0x00ff0000)
+          buff1 |= (src[2] << 16);
+        if (matchbits & 0xff000000)
+          buff1 |= (src[3] << 24);
+        }
       buff1 = (buff1 & matchbits) << (src_bit);
 
       if (ready_bits < 16) /* add another bps bits to the buffer */
author	Thomas Bernard <miniupnp@free.fr>	2020-11-18 01:47:11 +0100
committer	Thomas Bernard <miniupnp@free.fr>	2020-11-18 01:47:11 +0100
commit	916c1a4f8b0a4d6f4136d0b2edc2b14bd2c711a9 (patch)
tree	b42674e3fd5fd4578286b48532e9b771063610d8
parent	dadd8c7dceafbeddcf47bc04fac354bb7d8a3615 (diff)
download	libtiff-git-916c1a4f8b0a4d6f4136d0b2edc2b14bd2c711a9.tar.gz