diff options
author | erouault <erouault> | 2014-12-24 16:32:28 +0000 |
---|---|---|
committer | erouault <erouault> | 2014-12-24 16:32:28 +0000 |
commit | f7cdda2aeab08298aec48b11c8ce9f99de949c02 (patch) | |
tree | 4d365b8a714100e407ddc3b43631884721f46836 | |
parent | 1adda3b9eda65723a3043d0d8b4f14647f5e9588 (diff) | |
download | libtiff-f7cdda2aeab08298aec48b11c8ce9f99de949c02.tar.gz |
* tools/tiff2pdf.c: fix buffer overflow on some YCbCr JPEG compressed images.
http://bugzilla.maptools.org/show_bug.cgi?id=2445
-rw-r--r-- | ChangeLog | 5 | ||||
-rw-r--r-- | tools/tiff2pdf.c | 6 |
2 files changed, 9 insertions, 2 deletions
@@ -1,5 +1,10 @@ 2014-12-24 Even Rouault <even.rouault@spatialys.com> + * tools/tiff2pdf.c: fix buffer overflow on some YCbCr JPEG compressed images. + http://bugzilla.maptools.org/show_bug.cgi?id=2445 + +2014-12-24 Even Rouault <even.rouault@spatialys.com> + * tools/tiff2pdf.c: fix buffer overflow on YCbCr JPEG compressed image. Derived from patch by Petr Gajdos, http://bugzilla.maptools.org/show_bug.cgi?id=2443 diff --git a/tools/tiff2pdf.c b/tools/tiff2pdf.c index eb2a2dab..400b218f 100644 --- a/tools/tiff2pdf.c +++ b/tools/tiff2pdf.c @@ -1,4 +1,4 @@ -/* $Id: tiff2pdf.c,v 1.80 2014-12-24 15:38:11 erouault Exp $ +/* $Id: tiff2pdf.c,v 1.81 2014-12-24 16:32:28 erouault Exp $ * * tiff2pdf - converts a TIFF image to a PDF document * @@ -1954,9 +1954,11 @@ void t2p_read_tiff_size(T2P* t2p, TIFF* input){ } for(i=0;i<stripcount;i++){ k = checkAdd64(k, sbc[i], t2p); - k -=4; /* don't use SOI or EOI of strip */ + k -=2; /* don't use EOI of strip */ + k +=2; /* add space for restart marker */ } k = checkAdd64(k, 2, t2p); /* use EOI of last strip */ + k = checkAdd64(k, 6, t2p); /* for DRI marker of first strip */ t2p->tiff_datasize = (tsize_t) k; if ((uint64) t2p->tiff_datasize != k) { TIFFError(TIFF2PDF_MODULE, "Integer overflow"); |