temporary hack toallocate runs buffer 2 words larger

2000-03-02 15:38:28 +00:00 · 2000-03-02 15:38:28 +00:00 · 58467248ea
commit 58467248ea
parent 0429017b0c
1 changed files with 24 additions and 2 deletions
--- a/libtiff/tif_fax3.c
+++ b/libtiff/tif_fax3.c
@ -1,4 +1,4 @@
-/* $Header: /cvs/maptools/cvsroot/libtiff/libtiff/tif_fax3.c,v 1.6 1999-11-28 20:15:36 mwelles Exp $ */
+/* $Header: /cvs/maptools/cvsroot/libtiff/libtiff/tif_fax3.c,v 1.7 2000-03-02 15:38:28 warmerda Exp $ */

 /*
 * Copyright (c) 1990-1997 Sam Leffler
@ -500,7 +500,29 @@ Fax3SetupState(TIFF* tif)
 		uint32 nruns = needsRefLine ?
 		     2*TIFFroundup(rowpixels,32) : rowpixels;

-		dsp->runs = (uint32*) _TIFFmalloc(nruns*sizeof (uint32));
+                /* 
+Problem
+-------
+
+Decoding the file frle_bug.tif causes a crash (such as with tiff2rgba). 
+
+In particular the array dsp->runs allocated in Fax3SetupState() is overrun 
+by 4-8 bytes.  This occurs when Fax3DecodeRLE() processes the first
+scanline.  The EXPAND1D() macro advances "pa" to be thisrun+512 (an
+alias for dsp->runs), pointing just beyond the end of the array.  Then 
+the call to _TIFFFax3fillruns() does an "*erun++ = 0;" which writes beyond 
+the end of the array.
+
+In the short term I have modified the dsp->runs allocation to add eight
+extra bytes to the runs buffer; however, I am only doing this because I
+don't understand the algorithm well enough to change it without risking
+more adverse side effects.
+
+Frank Warmerdam (warmerda@home.com)
+
+                */
+
+		dsp->runs = (uint32*) _TIFFmalloc(8+nruns*sizeof (uint32));
 		if (dsp->runs == NULL) {
 			TIFFError("Fax3SetupState",
 			    "%s: No space for Group 3/4 run arrays",