diff options
author | erouault <erouault> | 2016-12-18 10:37:59 +0000 |
---|---|---|
committer | erouault <erouault> | 2016-12-18 10:37:59 +0000 |
commit | b3793c50229cf4774f578d40df615e0c894fa22c (patch) | |
tree | 4d7a1c9239839c9495c7446a542d87e208ecbd29 | |
parent | 347f374f03ed06a8897d78e6aa76692bb7e2cefc (diff) | |
download | libtiff-b3793c50229cf4774f578d40df615e0c894fa22c.tar.gz |
* tools/tiff2pdf.c: prevent heap-based buffer overflow in -j mode
on a paletted image. Note: this fix errors out before the overflow
happens. There could probably be a better fix.
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2635
-rw-r--r-- | ChangeLog | 7 | ||||
-rw-r--r-- | tools/tiff2pdf.c | 8 |
2 files changed, 14 insertions, 1 deletions
@@ -1,3 +1,10 @@ +2016-12-18 Even Rouault <even.rouault at spatialys.com> + + * tools/tiff2pdf.c: prevent heap-based buffer overflow in -j mode + on a paletted image. Note: this fix errors out before the overflow + happens. There could probably be a better fix. + Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2635 + 2016-12-17 Even Rouault <even.rouault at spatialys.com> * libtiff/tiffio.h, libtiff/tif_getimage.c: add TIFFReadRGBAStripExt() diff --git a/tools/tiff2pdf.c b/tools/tiff2pdf.c index fe8a6ea7..afea414b 100644 --- a/tools/tiff2pdf.c +++ b/tools/tiff2pdf.c @@ -1,4 +1,4 @@ -/* $Id: tiff2pdf.c,v 1.97 2016-11-11 21:28:24 erouault Exp $ +/* $Id: tiff2pdf.c,v 1.98 2016-12-18 10:37:59 erouault Exp $ * * tiff2pdf - converts a TIFF image to a PDF document * @@ -3654,6 +3654,12 @@ tsize_t t2p_sample_realize_palette(T2P* t2p, unsigned char* buffer){ uint32 j=0; sample_count=t2p->tiff_width*t2p->tiff_length; component_count=t2p->tiff_samplesperpixel; + if( sample_count * component_count > t2p->tiff_datasize ) + { + TIFFError(TIFF2PDF_MODULE, "Error: sample_count * component_count > t2p->tiff_datasize"); + t2p->t2p_error = T2P_ERR_ERROR; + return 1; + } for(i=sample_count;i>0;i--){ palette_offset=buffer[i-1] * component_count; |