diff options
author | erouault <erouault> | 2016-11-11 21:22:50 +0000 |
---|---|---|
committer | erouault <erouault> | 2016-11-11 21:22:50 +0000 |
commit | 2b2b304804ee0ff19af05704d4c82998b94ce41b (patch) | |
tree | 6c65fa6d69a88ebc07835119b79c3a364d2393c7 | |
parent | 02de927c729ce7b0aba89a198383790d4f8956ce (diff) | |
download | libtiff-2b2b304804ee0ff19af05704d4c82998b94ce41b.tar.gz |
* tools/tiff2pdf.c: avoid undefined behaviour related to overlapping
of source and destination buffer in memcpy() call in
t2p_sample_rgbaa_to_rgb()
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2577
-rw-r--r-- | ChangeLog | 7 | ||||
-rw-r--r-- | tools/tiff2pdf.c | 9 |
2 files changed, 14 insertions, 2 deletions
@@ -1,5 +1,12 @@ 2016-11-11 Even Rouault <even.rouault at spatialys.com> + * tools/tiff2pdf.c: avoid undefined behaviour related to overlapping + of source and destination buffer in memcpy() call in + t2p_sample_rgbaa_to_rgb() + Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2577 + +2016-11-11 Even Rouault <even.rouault at spatialys.com> + * tools/tiff2pdf.c: fix potential integer overflows on 32 bit builds in t2p_read_tiff_size() Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2576 diff --git a/tools/tiff2pdf.c b/tools/tiff2pdf.c index 6e3c6145..a436b385 100644 --- a/tools/tiff2pdf.c +++ b/tools/tiff2pdf.c @@ -1,4 +1,4 @@ -/* $Id: tiff2pdf.c,v 1.95 2016-11-11 21:15:25 erouault Exp $ +/* $Id: tiff2pdf.c,v 1.96 2016-11-11 21:22:50 erouault Exp $ * * tiff2pdf - converts a TIFF image to a PDF document * @@ -3696,7 +3696,12 @@ t2p_sample_rgbaa_to_rgb(tdata_t data, uint32 samplecount) { uint32 i; - for(i = 0; i < samplecount; i++) + /* For the 3 first samples, there is overlapping between souce and + destination, so huge memmove(). + See http://bugzilla.maptools.org/show_bug.cgi?id=2577 */ + for(i = 0; i < 3 && i < samplecount; i++) + memmove((uint8*)data + i * 3, (uint8*)data + i * 4, 3); + for(; i < samplecount; i++) memcpy((uint8*)data + i * 3, (uint8*)data + i * 4, 3); return(i * 3); |