diff options
author | erouault <erouault> | 2017-01-11 16:13:50 +0000 |
---|---|---|
committer | erouault <erouault> | 2017-01-11 16:13:50 +0000 |
commit | 87c6812d42ba770d6c604da8ad1f2adefae0616e (patch) | |
tree | 81e37307e60d381a4351f033213187a4e8790b22 | |
parent | 27537e1c2b5123364b5da5761ad3f604eb06ebed (diff) | |
download | libtiff-87c6812d42ba770d6c604da8ad1f2adefae0616e.tar.gz |
* libtiff/tif_jpeg.c: validate BitsPerSample in JPEGSetupEncode() to avoid
undefined behaviour caused by invalid shift exponent.
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2648
-rw-r--r-- | ChangeLog | 6 | ||||
-rw-r--r-- | libtiff/tif_jpeg.c | 9 |
2 files changed, 14 insertions, 1 deletions
@@ -1,5 +1,11 @@ 2017-01-11 Even Rouault <even.rouault at spatialys.com> + * libtiff/tif_jpeg.c: validate BitsPerSample in JPEGSetupEncode() to avoid + undefined behaviour caused by invalid shift exponent. + Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2648 + +2017-01-11 Even Rouault <even.rouault at spatialys.com> + * libtiff/tif_dir.c, tif_dirread.c, tif_dirwrite.c: implement various clampings of double to other data types to avoid undefined behaviour if the output range isn't big enough to hold the input value. diff --git a/libtiff/tif_jpeg.c b/libtiff/tif_jpeg.c index 09ef4949..e45e2a4e 100644 --- a/libtiff/tif_jpeg.c +++ b/libtiff/tif_jpeg.c @@ -1,4 +1,4 @@ -/* $Id: tif_jpeg.c,v 1.125 2017-01-11 12:15:01 erouault Exp $ */ +/* $Id: tif_jpeg.c,v 1.126 2017-01-11 16:13:50 erouault Exp $ */ /* * Copyright (c) 1994-1997 Sam Leffler @@ -1632,6 +1632,13 @@ JPEGSetupEncode(TIFF* tif) "Invalig horizontal/vertical sampling value"); return (0); } + if( td->td_bitspersample > 16 ) + { + TIFFErrorExt(tif->tif_clientdata, module, + "BitsPerSample %d not allowed for JPEG", + td->td_bitspersample); + return (0); + } /* * A ReferenceBlackWhite field *must* be present since the |