* tools/tiff2pdf.c: prevent heap-based buffer overflow in -j mode

on a paletted image. Note: this fix errors out before the overflow happens. There could probably be a better fix. Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2635
author: erouault <erouault> 2016-12-18 10:37:59 +0000
committer: erouault <erouault> 2016-12-18 10:37:59 +0000
commit: b3793c50229cf4774f578d40df615e0c894fa22c (patch)
tree: 4d7a1c9239839c9495c7446a542d87e208ecbd29 /tools
parent: 347f374f03ed06a8897d78e6aa76692bb7e2cefc (diff)
download: libtiff-b3793c50229cf4774f578d40df615e0c894fa22c.tar.gz
1 files changed, 7 insertions, 1 deletions
diff --git a/tools/tiff2pdf.c b/tools/tiff2pdf.c
index fe8a6ea7..afea414b 100644
--- a/tools/tiff2pdf.c
+++ b/tools/tiff2pdf.c
@@ -1,4 +1,4 @@
-/* $Id: tiff2pdf.c,v 1.97 2016-11-11 21:28:24 erouault Exp $
+/* $Id: tiff2pdf.c,v 1.98 2016-12-18 10:37:59 erouault Exp $
  *
  * tiff2pdf - converts a TIFF image to a PDF document
  *
@@ -3654,6 +3654,12 @@ tsize_t t2p_sample_realize_palette(T2P* t2p, unsigned char* buffer){
 	uint32 j=0;
 	sample_count=t2p->tiff_width*t2p->tiff_length;
 	component_count=t2p->tiff_samplesperpixel;
+        if( sample_count * component_count > t2p->tiff_datasize )
+        {
+            TIFFError(TIFF2PDF_MODULE,  "Error: sample_count * component_count > t2p->tiff_datasize");
+            t2p->t2p_error = T2P_ERR_ERROR;
+            return 1;
+        }
 	
 	for(i=sample_count;i>0;i--){
 		palette_offset=buffer[i-1] * component_count;
author	erouault <erouault>	2016-12-18 10:37:59 +0000
committer	erouault <erouault>	2016-12-18 10:37:59 +0000
commit	b3793c50229cf4774f578d40df615e0c894fa22c (patch)
tree	4d7a1c9239839c9495c7446a542d87e208ecbd29 /tools
parent	347f374f03ed06a8897d78e6aa76692bb7e2cefc (diff)
download	libtiff-b3793c50229cf4774f578d40df615e0c894fa22c.tar.gz