diff --git a/ChangeLog b/ChangeLog index da51d9a4..ef0dceff 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,24 @@ +2014-12-21 Even Rouault + + * tools/tiffcp.c: fix crash when converting YCbCr JPEG-compressed to none. + Based on patch by Tomasz Buchert (http://bugzilla.maptools.org/show_bug.cgi?id=2480) + Description: fix for Debian bug #741451 + tiffcp crashes when converting JPEG-encoded TIFF to a different + encoding (like none or lzw). For example this will probably fail: + tiffcp -c none jpeg_encoded_file.tif output.tif + The reason is that when the input file contains JPEG data, + the tiffcp code forces conversion to RGB space. However, + the output normally inherits YCbCr subsampling parameters + from the input, which leads to a smaller working buffer + than necessary. The buffer is subsequently overrun inside + cpStripToTile() (called from writeBufferToContigTiles). + Note that the resulting TIFF file would be scrambled even + if tiffcp wouldn't crash, since the output file would contain + RGB data intepreted as subsampled YCbCr values. + This patch fixes the problem by forcing RGB space on the output + TIF if the input is JPEG-encoded and output is *not* JPEG-encoded. + Author: Tomasz Buchert + 2014-12-21 Even Rouault Fix various crasher bugs on fuzzed images. diff --git a/tools/tiffcp.c b/tools/tiffcp.c index 53cf29a7..c186b9bd 100644 --- a/tools/tiffcp.c +++ b/tools/tiffcp.c @@ -1,4 +1,4 @@ -/* $Id: tiffcp.c,v 1.50 2013-03-06 03:35:09 tgl Exp $ */ +/* $Id: tiffcp.c,v 1.51 2014-12-21 16:28:37 erouault Exp $ */ /* * Copyright (c) 1988-1997 Sam Leffler @@ -633,6 +633,12 @@ tiffcp(TIFF* in, TIFF* out) TIFFSetField(out, TIFFTAG_PHOTOMETRIC, samplesperpixel == 1 ? PHOTOMETRIC_LOGL : PHOTOMETRIC_LOGLUV); + else if (input_compression == COMPRESSION_JPEG && + samplesperpixel == 3 ) { + /* RGB conversion was forced above + hence the output will be of the same type */ + TIFFSetField(out, TIFFTAG_PHOTOMETRIC, PHOTOMETRIC_RGB); + } else CopyTag(TIFFTAG_PHOTOMETRIC, 1, TIFF_SHORT); if (fillorder != 0)