diff options
author | Su_Laus <sulau@freenet.de> | 2023-02-14 20:43:43 +0100 |
---|---|---|
committer | Su_Laus <sulau@freenet.de> | 2023-02-14 20:43:43 +0100 |
commit | ec8ef90c1f573c9eb1f17d6a056aa0015f184acf (patch) | |
tree | 82cfa3a22a5e0fee880e23aabaab7c15c64b362b | |
parent | feb8db628d38835bd9442d1fcbaf979c05487490 (diff) | |
download | libtiff-git-ec8ef90c1f573c9eb1f17d6a056aa0015f184acf.tar.gz |
tiffcrop: Do not reuse input buffer for subsequent images. Fix issue 527
Reuse of read_buff within loadImage() from previous image is quite unsafe, because other functions (like rotateImage() etc.) reallocate that buffer with different size without updating the local prev_readsize value.
Closes #527
-rw-r--r-- | tools/tiffcrop.c | 47 |
1 files changed, 13 insertions, 34 deletions
diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c index d7ad5ca8..d3e11ba2 100644 --- a/tools/tiffcrop.c +++ b/tools/tiffcrop.c @@ -6771,9 +6771,7 @@ static int loadImage(TIFF *in, struct image_data *image, struct dump_opts *dump, uint32_t tw = 0, tl = 0; /* Tile width and length */ tmsize_t tile_rowsize = 0; unsigned char *read_buff = NULL; - unsigned char *new_buff = NULL; int readunit = 0; - static tmsize_t prev_readsize = 0; TIFFGetFieldDefaulted(in, TIFFTAG_BITSPERSAMPLE, &bps); TIFFGetFieldDefaulted(in, TIFFTAG_SAMPLESPERPIXEL, &spp); @@ -7097,43 +7095,25 @@ static int loadImage(TIFF *in, struct image_data *image, struct dump_opts *dump, } read_buff = *read_ptr; - /* +3 : add a few guard bytes since reverseSamples16bits() can read a bit */ - /* outside buffer */ - if (!read_buff) + /* +3 : add a few guard bytes since reverseSamples16bits() can read a bit + * outside buffer */ + /* Reuse of read_buff from previous image is quite unsafe, because other + * functions (like rotateImage() etc.) reallocate that buffer with different + * size without updating the local prev_readsize value. */ + if (read_buff) { - if (buffsize > 0xFFFFFFFFU - 3) - { - TIFFError("loadImage", "Unable to allocate/reallocate read buffer"); - return (-1); - } - read_buff = - (unsigned char *)limitMalloc(buffsize + NUM_BUFF_OVERSIZE_BYTES); + _TIFFfree(read_buff); } - else + if (buffsize > 0xFFFFFFFFU - 3) { - if (prev_readsize < buffsize) - { - if (buffsize > 0xFFFFFFFFU - 3) - { - TIFFError("loadImage", - "Unable to allocate/reallocate read buffer"); - return (-1); - } - new_buff = - _TIFFrealloc(read_buff, buffsize + NUM_BUFF_OVERSIZE_BYTES); - if (!new_buff) - { - free(read_buff); - read_buff = (unsigned char *)limitMalloc( - buffsize + NUM_BUFF_OVERSIZE_BYTES); - } - else - read_buff = new_buff; - } + TIFFError("loadImage", "Required read buffer size too large"); + return (-1); } + read_buff = + (unsigned char *)limitMalloc(buffsize + NUM_BUFF_OVERSIZE_BYTES); if (!read_buff) { - TIFFError("loadImage", "Unable to allocate/reallocate read buffer"); + TIFFError("loadImage", "Unable to allocate read buffer"); return (-1); } @@ -7141,7 +7121,6 @@ static int loadImage(TIFF *in, struct image_data *image, struct dump_opts *dump, read_buff[buffsize + 1] = 0; read_buff[buffsize + 2] = 0; - prev_readsize = buffsize; *read_ptr = read_buff; /* N.B. The read functions used copy separate plane data into a buffer as |