* tools/tiff2pdf.c: avoid undefined behaviour related to overlapping

of source and destination buffer in memcpy() call in
t2p_sample_rgbaa_to_rgb()
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2577

2 files changed, 14 insertions, 2 deletions

diff --git a/ChangeLog b/ChangeLog
index 42616686..a29d262b 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,5 +1,12 @@
 2016-11-11 Even Rouault <even.rouault at spatialys.com>
 
+	* tools/tiff2pdf.c: avoid undefined behaviour related to overlapping
+	of source and destination buffer in memcpy() call in
+	t2p_sample_rgbaa_to_rgb()
+	Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2577
+
+2016-11-11 Even Rouault <even.rouault at spatialys.com>
+
 	* tools/tiff2pdf.c: fix potential integer overflows on 32 bit builds
 	in t2p_read_tiff_size()
 	Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2576
diff --git a/tools/tiff2pdf.c b/tools/tiff2pdf.c
index 6e3c6145..a436b385 100644
--- a/tools/tiff2pdf.c
+++ b/tools/tiff2pdf.c
@@ -1,4 +1,4 @@
-/* $Id: tiff2pdf.c,v 1.95 2016-11-11 21:15:25 erouault Exp $
+/* $Id: tiff2pdf.c,v 1.96 2016-11-11 21:22:50 erouault Exp $
  *
  * tiff2pdf - converts a TIFF image to a PDF document
  *
@@ -3696,7 +3696,12 @@ t2p_sample_rgbaa_to_rgb(tdata_t data, uint32 samplecount)
 {
 	uint32 i;
 	
-	for(i = 0; i < samplecount; i++)
+    /* For the 3 first samples, there is overlapping between souce and
+       destination, so huge memmove().
+       See http://bugzilla.maptools.org/show_bug.cgi?id=2577 */
+    for(i = 0; i < 3 && i < samplecount; i++)
+        memmove((uint8*)data + i * 3, (uint8*)data + i * 4, 3);
+	for(; i < samplecount; i++)
 		memcpy((uint8*)data + i * 3, (uint8*)data + i * 4, 3);
 
 	return(i * 3);