diff options
author | erouault <erouault> | 2016-12-18 10:37:59 +0000 |
---|---|---|
committer | erouault <erouault> | 2016-12-18 10:37:59 +0000 |
commit | b3793c50229cf4774f578d40df615e0c894fa22c (patch) | |
tree | 4d7a1c9239839c9495c7446a542d87e208ecbd29 /tools | |
parent | 347f374f03ed06a8897d78e6aa76692bb7e2cefc (diff) | |
download | libtiff-b3793c50229cf4774f578d40df615e0c894fa22c.tar.gz |
* tools/tiff2pdf.c: prevent heap-based buffer overflow in -j mode
on a paletted image. Note: this fix errors out before the overflow
happens. There could probably be a better fix.
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2635
Diffstat (limited to 'tools')
-rw-r--r-- | tools/tiff2pdf.c | 8 |
1 files changed, 7 insertions, 1 deletions
diff --git a/tools/tiff2pdf.c b/tools/tiff2pdf.c index fe8a6ea7..afea414b 100644 --- a/tools/tiff2pdf.c +++ b/tools/tiff2pdf.c @@ -1,4 +1,4 @@ -/* $Id: tiff2pdf.c,v 1.97 2016-11-11 21:28:24 erouault Exp $ +/* $Id: tiff2pdf.c,v 1.98 2016-12-18 10:37:59 erouault Exp $ * * tiff2pdf - converts a TIFF image to a PDF document * @@ -3654,6 +3654,12 @@ tsize_t t2p_sample_realize_palette(T2P* t2p, unsigned char* buffer){ uint32 j=0; sample_count=t2p->tiff_width*t2p->tiff_length; component_count=t2p->tiff_samplesperpixel; + if( sample_count * component_count > t2p->tiff_datasize ) + { + TIFFError(TIFF2PDF_MODULE, "Error: sample_count * component_count > t2p->tiff_datasize"); + t2p->t2p_error = T2P_ERR_ERROR; + return 1; + } for(i=sample_count;i>0;i--){ palette_offset=buffer[i-1] * component_count; |