diff options
author | erouault <erouault> | 2016-10-08 15:04:31 +0000 |
---|---|---|
committer | erouault <erouault> | 2016-10-08 15:04:31 +0000 |
commit | e31954999e2dab37653f9dc996f413c11cc0d0fe (patch) | |
tree | 4e83b1f003df505ea0f18917561616e8a73b9c2e /tools | |
parent | faf745d97c279e901a5d2a9b443dfc432c488673 (diff) | |
download | libtiff-e31954999e2dab37653f9dc996f413c11cc0d0fe.tar.gz |
* tools/tiffcp.c: fix read of undefined variable in case of missing
required tags. Found on test case of MSVR 35100.
* tools/tiffcrop.c: fix read of undefined buffer in
readContigStripsIntoBuffer() due to uint16 overflow. Probably not a
security issue but I can be wrong. Reported as MSVR 35100 by Axel
Souchet from the MSRC Vulnerabilities & Mitigations team.
Diffstat (limited to 'tools')
-rw-r--r-- | tools/tiffcp.c | 6 | ||||
-rw-r--r-- | tools/tiffcrop.c | 11 |
2 files changed, 10 insertions, 7 deletions
diff --git a/tools/tiffcp.c b/tools/tiffcp.c index d415af32..56eca731 100644 --- a/tools/tiffcp.c +++ b/tools/tiffcp.c @@ -1,4 +1,4 @@ -/* $Id: tiffcp.c,v 1.53 2015-06-21 01:09:10 bfriesen Exp $ */ +/* $Id: tiffcp.c,v 1.54 2016-10-08 15:04:31 erouault Exp $ */ /* * Copyright (c) 1988-1997 Sam Leffler @@ -592,8 +592,8 @@ static copyFunc pickCopyFunc(TIFF*, TIFF*, uint16, uint16); static int tiffcp(TIFF* in, TIFF* out) { - uint16 bitspersample, samplesperpixel; - uint16 input_compression, input_photometric; + uint16 bitspersample, samplesperpixel = 1; + uint16 input_compression, input_photometric = PHOTOMETRIC_MINISBLACK; copyFunc cf; uint32 width, length; struct cpTag* p; diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c index ee38c97c..865e2ec2 100644 --- a/tools/tiffcrop.c +++ b/tools/tiffcrop.c @@ -1,4 +1,4 @@ -/* $Id: tiffcrop.c,v 1.40 2016-09-23 22:12:18 erouault Exp $ */ +/* $Id: tiffcrop.c,v 1.41 2016-10-08 15:04:31 erouault Exp $ */ /* tiffcrop.c -- a port of tiffcp.c extended to include manipulations of * the image data through additional options listed below @@ -3628,7 +3628,7 @@ static int readContigStripsIntoBuffer (TIFF* in, uint8* buf) { uint8* bufp = buf; int32 bytes_read = 0; - uint16 strip, nstrips = TIFFNumberOfStrips(in); + uint32 strip, nstrips = TIFFNumberOfStrips(in); uint32 stripsize = TIFFStripSize(in); uint32 rows = 0; uint32 rps = TIFFGetFieldDefaulted(in, TIFFTAG_ROWSPERSTRIP, &rps); @@ -4711,9 +4711,12 @@ static int readSeparateStripsIntoBuffer (TIFF *in, uint8 *obuf, uint32 length, uint32 width, uint16 spp, struct dump_opts *dump) { - int i, j, bytes_per_sample, bytes_per_pixel, shift_width, result = 1; + int i, bytes_per_sample, bytes_per_pixel, shift_width, result = 1; + uint32 j; int32 bytes_read = 0; - uint16 bps, nstrips, planar, strips_per_sample; + uint16 bps, planar; + uint32 nstrips; + uint32 strips_per_sample; uint32 src_rowsize, dst_rowsize, rows_processed, rps; uint32 rows_this_strip = 0; tsample_t s; |