* tools/tiff2ps.c: fix 2 heap-based buffer overflows (in PSDataBW

and PSDataColorContig). Reported by Agostino Sarubbo.
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2633 and
http://bugzilla.maptools.org/show_bug.cgi?id=2634.

2 files changed, 14 insertions, 2 deletions

diff --git a/ChangeLog b/ChangeLog
index 5d13f3f4..82b2580e 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,10 @@
+2016-12-17 Even Rouault <even.rouault at spatialys.com>
+
+	* tools/tiff2ps.c: fix 2 heap-based buffer overflows (in PSDataBW
+	and PSDataColorContig). Reported by Agostino Sarubbo.
+	Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2633 and
+	http://bugzilla.maptools.org/show_bug.cgi?id=2634.
+
 2016-12-13 Even Rouault <even.rouault at spatialys.com>
 
 	* libtiff/tif_fax3.h: revert change done on 2016-01-09 that made
diff --git a/tools/tiff2ps.c b/tools/tiff2ps.c
index 82a5d84b..71df4309 100644
--- a/tools/tiff2ps.c
+++ b/tools/tiff2ps.c
@@ -1,4 +1,4 @@
-/* $Id: tiff2ps.c,v 1.54 2015-06-21 01:09:10 bfriesen Exp $ */
+/* $Id: tiff2ps.c,v 1.55 2016-12-17 19:45:28 erouault Exp $ */
 
 /*
  * Copyright (c) 1988-1997 Sam Leffler
@@ -2440,6 +2440,11 @@ PSDataColorContig(FILE* fd, TIFF* tif, uint32 w, uint32 h, int nc)
 	unsigned char *cp, c;
 
 	(void) w;
+        if( es <= 0 )
+        {
+            TIFFError(filename, "Inconsistent value of es: %d", es);
+            return;
+        }
 	tf_buf = (unsigned char *) _TIFFmalloc(tf_bytesperrow);
 	if (tf_buf == NULL) {
 		TIFFError(filename, "No space for scanline buffer");
@@ -2692,7 +2697,7 @@ PSDataBW(FILE* fd, TIFF* tif, uint32 w, uint32 h)
 
 			if (alpha) {
 				int adjust;
-				while (cc-- > 0) {
+				while (cc-- > 1) {
 					DOBREAK(breaklen, 1, fd);
 					/*
 					 * For images with alpha, matte against