diff options
-rw-r--r-- | ChangeLog | 7 | ||||
-rw-r--r-- | tools/tiff2pdf.c | 9 |
2 files changed, 14 insertions, 2 deletions
@@ -1,5 +1,12 @@ 2016-11-11 Even Rouault <even.rouault at spatialys.com> + * tools/tiff2pdf.c: avoid undefined behaviour related to overlapping + of source and destination buffer in memcpy() call in + t2p_sample_rgbaa_to_rgb() + Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2577 + +2016-11-11 Even Rouault <even.rouault at spatialys.com> + * tools/tiff2pdf.c: fix potential integer overflows on 32 bit builds in t2p_read_tiff_size() Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2576 diff --git a/tools/tiff2pdf.c b/tools/tiff2pdf.c index 6e3c6145..a436b385 100644 --- a/tools/tiff2pdf.c +++ b/tools/tiff2pdf.c @@ -1,4 +1,4 @@ -/* $Id: tiff2pdf.c,v 1.95 2016-11-11 21:15:25 erouault Exp $ +/* $Id: tiff2pdf.c,v 1.96 2016-11-11 21:22:50 erouault Exp $ * * tiff2pdf - converts a TIFF image to a PDF document * @@ -3696,7 +3696,12 @@ t2p_sample_rgbaa_to_rgb(tdata_t data, uint32 samplecount) { uint32 i; - for(i = 0; i < samplecount; i++) + /* For the 3 first samples, there is overlapping between souce and + destination, so huge memmove(). + See http://bugzilla.maptools.org/show_bug.cgi?id=2577 */ + for(i = 0; i < 3 && i < samplecount; i++) + memmove((uint8*)data + i * 3, (uint8*)data + i * 4, 3); + for(; i < samplecount; i++) memcpy((uint8*)data + i * 3, (uint8*)data + i * 4, 3); return(i * 3); |