diff options
author | Thomas Bernard <miniupnp@free.fr> | 2020-02-08 11:17:08 +0100 |
---|---|---|
committer | Thomas Bernard <miniupnp@free.fr> | 2020-02-08 12:10:56 +0100 |
commit | ebf0864306f4f24ac25011cf5d752b94c897faa1 (patch) | |
tree | d33047f29b1a3fb461bae3faa015988a38df3c52 | |
parent | 3334704ebcec6a8011fc5ef5d0904d6297a0b9ff (diff) | |
download | libtiff-git-ebf0864306f4f24ac25011cf5d752b94c897faa1.tar.gz |
tiff2ps: fix heap buffer read overflow in PSDataColorContig()
fixes #161 / http://bugzilla.maptools.org/show_bug.cgi?id=2855
in 05029fb7f1ecf771abaf90b5705b6cab9eb522a7 I missed that 1 extra byte is read
in this loop.
-rw-r--r-- | tools/tiff2ps.c | 12 |
1 files changed, 8 insertions, 4 deletions
diff --git a/tools/tiff2ps.c b/tools/tiff2ps.c index 5874aba6..31a318a8 100644 --- a/tools/tiff2ps.c +++ b/tools/tiff2ps.c @@ -2467,8 +2467,10 @@ PSDataColorContig(FILE* fd, TIFF* tif, uint32 w, uint32 h, int nc) } if (alpha) { int adjust; - cc = 0; - for (; (cc + nc) <= tf_bytesperrow; cc += samplesperpixel) { + /* + * the code inside this loop reads nc bytes + 1 extra byte (for adjust) + */ + for (cc = 0; (cc + nc) < tf_bytesperrow; cc += samplesperpixel) { DOBREAK(breaklen, nc, fd); /* * For images with alpha, matte against @@ -2486,8 +2488,10 @@ PSDataColorContig(FILE* fd, TIFF* tif, uint32 w, uint32 h, int nc) cp += es; } } else { - cc = 0; - for (; (cc + nc) <= tf_bytesperrow; cc += samplesperpixel) { + /* + * the code inside this loop reads nc bytes per iteration + */ + for (cc = 0; (cc + nc) <= tf_bytesperrow; cc += samplesperpixel) { DOBREAK(breaklen, nc, fd); switch (nc) { case 4: c = *cp++; PUTHEX(c,fd); |