diff options
| author | Even Rouault <even.rouault@spatialys.com> | 2023-02-14 20:41:35 +0000 |
|---|---|---|
| committer | Even Rouault <even.rouault@spatialys.com> | 2023-02-14 20:41:35 +0000 |
| commit | c861f25cbcb8b3fe32ab1a0c13ced2d786eeb110 (patch) | |
| tree | 82cfa3a22a5e0fee880e23aabaab7c15c64b362b | |
| parent | feb8db628d38835bd9442d1fcbaf979c05487490 (diff) | |
| parent | ec8ef90c1f573c9eb1f17d6a056aa0015f184acf (diff) | |
| download | libtiff-git-c861f25cbcb8b3fe32ab1a0c13ced2d786eeb110.tar.gz | |
Merge branch 'tiffcrop_dont_reuse_input_buffer_fix_527' into 'master'
tiffcrop: Do not reuse input buffer for subsequent images. Fix issue 527
Closes #527
See merge request libtiff/libtiff!472
| -rw-r--r-- | tools/tiffcrop.c | 47 |
1 files changed, 13 insertions, 34 deletions
diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c index d7ad5ca8..d3e11ba2 100644 --- a/tools/tiffcrop.c +++ b/tools/tiffcrop.c @@ -6771,9 +6771,7 @@ static int loadImage(TIFF *in, struct image_data *image, struct dump_opts *dump, uint32_t tw = 0, tl = 0; /* Tile width and length */ tmsize_t tile_rowsize = 0; unsigned char *read_buff = NULL; - unsigned char *new_buff = NULL; int readunit = 0; - static tmsize_t prev_readsize = 0; TIFFGetFieldDefaulted(in, TIFFTAG_BITSPERSAMPLE, &bps); TIFFGetFieldDefaulted(in, TIFFTAG_SAMPLESPERPIXEL, &spp); @@ -7097,43 +7095,25 @@ static int loadImage(TIFF *in, struct image_data *image, struct dump_opts *dump, } read_buff = *read_ptr; - /* +3 : add a few guard bytes since reverseSamples16bits() can read a bit */ - /* outside buffer */ - if (!read_buff) + /* +3 : add a few guard bytes since reverseSamples16bits() can read a bit + * outside buffer */ + /* Reuse of read_buff from previous image is quite unsafe, because other + * functions (like rotateImage() etc.) reallocate that buffer with different + * size without updating the local prev_readsize value. */ + if (read_buff) { - if (buffsize > 0xFFFFFFFFU - 3) - { - TIFFError("loadImage", "Unable to allocate/reallocate read buffer"); - return (-1); - } - read_buff = - (unsigned char *)limitMalloc(buffsize + NUM_BUFF_OVERSIZE_BYTES); + _TIFFfree(read_buff); } - else + if (buffsize > 0xFFFFFFFFU - 3) { - if (prev_readsize < buffsize) - { - if (buffsize > 0xFFFFFFFFU - 3) - { - TIFFError("loadImage", - "Unable to allocate/reallocate read buffer"); - return (-1); - } - new_buff = - _TIFFrealloc(read_buff, buffsize + NUM_BUFF_OVERSIZE_BYTES); - if (!new_buff) - { - free(read_buff); - read_buff = (unsigned char *)limitMalloc( - buffsize + NUM_BUFF_OVERSIZE_BYTES); - } - else - read_buff = new_buff; - } + TIFFError("loadImage", "Required read buffer size too large"); + return (-1); } + read_buff = + (unsigned char *)limitMalloc(buffsize + NUM_BUFF_OVERSIZE_BYTES); if (!read_buff) { - TIFFError("loadImage", "Unable to allocate/reallocate read buffer"); + TIFFError("loadImage", "Unable to allocate read buffer"); return (-1); } @@ -7141,7 +7121,6 @@ static int loadImage(TIFF *in, struct image_data *image, struct dump_opts *dump, read_buff[buffsize + 1] = 0; read_buff[buffsize + 2] = 0; - prev_readsize = buffsize; *read_ptr = read_buff; /* N.B. The read functions used copy separate plane data into a buffer as |