diff options
author | Even Rouault <even.rouault@spatialys.com> | 2020-02-09 13:11:39 +0000 |
---|---|---|
committer | Even Rouault <even.rouault@spatialys.com> | 2020-02-09 13:11:39 +0000 |
commit | b4820b2179641e8638a9aac8105a4e1ea50ecbfa (patch) | |
tree | d33047f29b1a3fb461bae3faa015988a38df3c52 | |
parent | 3334704ebcec6a8011fc5ef5d0904d6297a0b9ff (diff) | |
parent | ebf0864306f4f24ac25011cf5d752b94c897faa1 (diff) | |
download | libtiff-git-b4820b2179641e8638a9aac8105a4e1ea50ecbfa.tar.gz |
Merge branch 'bug2855' into 'master'
tiff2ps: fix heap buffer read overflow in PSDataColorContig()
Closes #161
See merge request libtiff/libtiff!102
-rw-r--r-- | tools/tiff2ps.c | 12 |
1 files changed, 8 insertions, 4 deletions
diff --git a/tools/tiff2ps.c b/tools/tiff2ps.c index 5874aba6..31a318a8 100644 --- a/tools/tiff2ps.c +++ b/tools/tiff2ps.c @@ -2467,8 +2467,10 @@ PSDataColorContig(FILE* fd, TIFF* tif, uint32 w, uint32 h, int nc) } if (alpha) { int adjust; - cc = 0; - for (; (cc + nc) <= tf_bytesperrow; cc += samplesperpixel) { + /* + * the code inside this loop reads nc bytes + 1 extra byte (for adjust) + */ + for (cc = 0; (cc + nc) < tf_bytesperrow; cc += samplesperpixel) { DOBREAK(breaklen, nc, fd); /* * For images with alpha, matte against @@ -2486,8 +2488,10 @@ PSDataColorContig(FILE* fd, TIFF* tif, uint32 w, uint32 h, int nc) cp += es; } } else { - cc = 0; - for (; (cc + nc) <= tf_bytesperrow; cc += samplesperpixel) { + /* + * the code inside this loop reads nc bytes per iteration + */ + for (cc = 0; (cc + nc) <= tf_bytesperrow; cc += samplesperpixel) { DOBREAK(breaklen, nc, fd); switch (nc) { case 4: c = *cp++; PUTHEX(c,fd); |