From 05029fb7f1ecf771abaf90b5705b6cab9eb522a7 Mon Sep 17 00:00:00 2001
From: Thomas Bernard <miniupnp@free.fr>
Date: Sun, 24 Feb 2019 00:50:12 +0100
Subject: [PATCH] PSDataColorContig(): avoid heap buffer overrun

fixes http://bugzilla.maptools.org/show_bug.cgi?id=2844
each iteration of the loop read nc bytes
---
 tools/tiff2ps.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/tools/tiff2ps.c b/tools/tiff2ps.c
index a5b943ec..78d702c9 100644
--- a/tools/tiff2ps.c
+++ b/tools/tiff2ps.c
@@ -2468,7 +2468,7 @@ PSDataColorContig(FILE* fd, TIFF* tif, uint32 w, uint32 h, int nc)
 		if (alpha) {
 			int adjust;
 			cc = 0;
-			for (; cc < tf_bytesperrow; cc += samplesperpixel) {
+			for (; (cc + nc) <= tf_bytesperrow; cc += samplesperpixel) {
 				DOBREAK(breaklen, nc, fd);
 				/*
 				 * For images with alpha, matte against
@@ -2487,7 +2487,7 @@ PSDataColorContig(FILE* fd, TIFF* tif, uint32 w, uint32 h, int nc)
 			}
 		} else {
 			cc = 0;
-			for (; cc < tf_bytesperrow; cc += samplesperpixel) {
+			for (; (cc + nc) <= tf_bytesperrow; cc += samplesperpixel) {
 				DOBREAK(breaklen, nc, fd);
 				switch (nc) {
 				case 4: c = *cp++; PUTHEX(c,fd);