* tools/tiff2pdf.c: avoid potential heap-based overflow in

t2p_readwrite_pdf_image_tile().
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2640

2 files changed, 8 insertions, 2 deletions

diff --git a/ChangeLog b/ChangeLog
index 6be36026..91ba4e6e 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,5 +1,11 @@
 2016-12-20 Even Rouault <even.rouault at spatialys.com>
 
+	* tools/tiff2pdf.c: avoid potential heap-based overflow in
+	t2p_readwrite_pdf_image_tile().
+	Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2640
+
+2016-12-20 Even Rouault <even.rouault at spatialys.com>
+
 	* tools/tiff2pdf.c: avoid potential invalid memory read in
 	t2p_writeproc.
 	Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2639
diff --git a/tools/tiff2pdf.c b/tools/tiff2pdf.c
index 5348f1a7..8e4e24ef 100644
--- a/tools/tiff2pdf.c
+++ b/tools/tiff2pdf.c
@@ -1,4 +1,4 @@
-/* $Id: tiff2pdf.c,v 1.100 2016-12-20 17:24:35 erouault Exp $
+/* $Id: tiff2pdf.c,v 1.101 2016-12-20 17:28:17 erouault Exp $
  *
  * tiff2pdf - converts a TIFF image to a PDF document
  *
@@ -2895,7 +2895,7 @@ tsize_t t2p_readwrite_pdf_image_tile(T2P* t2p, TIFF* input, TIFF* output, ttile_
 				return(0);
 			}
 			if(TIFFGetField(input, TIFFTAG_JPEGTABLES, &count, &jpt) != 0) {
-				if (count >= 4) {
+				if (count > 4) {
                                         int retTIFFReadRawTile;
                     /* Ignore EOI marker of JpegTables */
 					_TIFFmemcpy(buffer, jpt, count - 2);