be careful about printing corrupt inknames fields

2 files changed, 19 insertions, 4 deletions

diff --git a/ChangeLog b/ChangeLog
index 559ea4a0..d8c1b468 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,5 +1,7 @@
 2012-06-12  Frank Warmerdam  <warmerdam@google.com>
 
+	* libtiff/tif_print.c: Be careful about printing corrupt inknames.
+
 	* libtiff/tif_fax3.c: Ensure runs array is initialized to zeros.
 
 2012-06-07  Frank Warmerdam  <warmerdam@google.com>
diff --git a/libtiff/tif_print.c b/libtiff/tif_print.c
index d64afe16..5ae2df04 100644
--- a/libtiff/tif_print.c
+++ b/libtiff/tif_print.c
@@ -1,4 +1,4 @@
-/* $Id: tif_print.c,v 1.58 2012-06-08 05:15:21 fwarmerdam Exp $ */
+/* $Id: tif_print.c,v 1.59 2012-06-13 01:08:51 fwarmerdam Exp $ */
 
 /*
  * Copyright (c) 1988-1997 Sam Leffler
@@ -34,6 +34,9 @@
 
 #include <ctype.h>
 
+static void
+_TIFFprintAsciiBounded(FILE* fd, const char* cp, int max_chars);
+
 static const char *photoNames[] = {
     "min-is-white",				/* PHOTOMETRIC_MINISWHITE */
     "min-is-black",				/* PHOTOMETRIC_MINISBLACK */
@@ -387,9 +390,13 @@ TIFFPrintDirectory(TIFF* tif, FILE* fd, long flags)
 		fprintf(fd, "  Ink Names: ");
 		i = td->td_samplesperpixel;
 		sep = "";
-		for (cp = td->td_inknames; i > 0; cp = strchr(cp,'\0')+1, i--) {
+		for (cp = td->td_inknames; 
+		     i > 0 && cp < td->td_inknames + td->td_inknameslen; 
+		     cp = strchr(cp,'\0')+1, i--) {
+			int max_chars = 
+				td->td_inknameslen - (cp - td->td_inknames);
 			fputs(sep, fd);
-			_TIFFprintAscii(fd, cp);
+			_TIFFprintAsciiBounded(fd, cp, max_chars);
 			sep = ", ";
 		}
                 fputs("\n", fd);
@@ -666,7 +673,13 @@ TIFFPrintDirectory(TIFF* tif, FILE* fd, long flags)
 void
 _TIFFprintAscii(FILE* fd, const char* cp)
 {
-	for (; *cp != '\0'; cp++) {
+	_TIFFprintAsciiBounded( fd, cp, strlen(cp));
+}
+
+static void
+_TIFFprintAsciiBounded(FILE* fd, const char* cp, int max_chars)
+{
+	for (; max_chars > 0 && *cp != '\0'; cp++, max_chars--) {
 		const char* tp;
 
 		if (isprint((int)*cp)) {