summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorEven Rouault <even.rouault@spatialys.com>2020-02-09 13:11:39 +0000
committerEven Rouault <even.rouault@spatialys.com>2020-02-09 13:11:39 +0000
commitb4820b2179641e8638a9aac8105a4e1ea50ecbfa (patch)
treed33047f29b1a3fb461bae3faa015988a38df3c52
parent3334704ebcec6a8011fc5ef5d0904d6297a0b9ff (diff)
parentebf0864306f4f24ac25011cf5d752b94c897faa1 (diff)
downloadlibtiff-git-b4820b2179641e8638a9aac8105a4e1ea50ecbfa.tar.gz
Merge branch 'bug2855' into 'master'
tiff2ps: fix heap buffer read overflow in PSDataColorContig() Closes #161 See merge request libtiff/libtiff!102
-rw-r--r--tools/tiff2ps.c12
1 files changed, 8 insertions, 4 deletions
diff --git a/tools/tiff2ps.c b/tools/tiff2ps.c
index 5874aba6..31a318a8 100644
--- a/tools/tiff2ps.c
+++ b/tools/tiff2ps.c
@@ -2467,8 +2467,10 @@ PSDataColorContig(FILE* fd, TIFF* tif, uint32 w, uint32 h, int nc)
}
if (alpha) {
int adjust;
- cc = 0;
- for (; (cc + nc) <= tf_bytesperrow; cc += samplesperpixel) {
+ /*
+ * the code inside this loop reads nc bytes + 1 extra byte (for adjust)
+ */
+ for (cc = 0; (cc + nc) < tf_bytesperrow; cc += samplesperpixel) {
DOBREAK(breaklen, nc, fd);
/*
* For images with alpha, matte against
@@ -2486,8 +2488,10 @@ PSDataColorContig(FILE* fd, TIFF* tif, uint32 w, uint32 h, int nc)
cp += es;
}
} else {
- cc = 0;
- for (; (cc + nc) <= tf_bytesperrow; cc += samplesperpixel) {
+ /*
+ * the code inside this loop reads nc bytes per iteration
+ */
+ for (cc = 0; (cc + nc) <= tf_bytesperrow; cc += samplesperpixel) {
DOBREAK(breaklen, nc, fd);
switch (nc) {
case 4: c = *cp++; PUTHEX(c,fd);