* tools/tiffdither.c: check memory allocations to avoid writing to
NULL pointer. Also check multiplication overflow. Fixes #2501, CVE-2014-8128. Derived from patch by Petr Gajdos.
This commit is contained in:
Even Rouault
parent
cb66df4e65
commit
7bed6738f2
@ -1,3 +1,9 @@
|
||||
2015-03-02 Even Rouault <even.rouault@spatialys.com>
|
||||
|
||||
* tools/tiffdither.c: check memory allocations to avoid writing to
|
||||
NULL pointer. Also check multiplication overflow. Fixes #2501,
|
||||
CVE-2014-8128. Derived from patch by Petr Gajdos.
|
||||
|
||||
2015-01-26 Even Rouault <even.rouault@spatialys.com>
|
||||
|
||||
* add html/v4.0.4beta.html under version control
|
||||
|
||||
@ -1,4 +1,4 @@
|
||||
/* $Id: tiffdither.c,v 1.14 2013-05-02 14:44:29 tgl Exp $ */
|
||||
/* $Id: tiffdither.c,v 1.15 2015-03-02 16:16:38 erouault Exp $ */
|
||||
|
||||
/*
|
||||
* Copyright (c) 1988-1997 Sam Leffler
|
||||
@ -39,6 +39,7 @@
|
||||
#endif
|
||||
|
||||
#include "tiffio.h"
|
||||
#include "tiffiop.h"
|
||||
|
||||
#define streq(a,b) (strcmp(a,b) == 0)
|
||||
#define strneq(a,b,n) (strncmp(a,b,n) == 0)
|
||||
@ -56,7 +57,7 @@ static void usage(void);
|
||||
* Floyd-Steinberg error propragation with threshold.
|
||||
* This code is stolen from tiffmedian.
|
||||
*/
|
||||
static void
|
||||
static int
|
||||
fsdither(TIFF* in, TIFF* out)
|
||||
{
|
||||
unsigned char *outline, *inputline, *inptr;
|
||||
@ -68,14 +69,19 @@ fsdither(TIFF* in, TIFF* out)
|
||||
int lastline, lastpixel;
|
||||
int bit;
|
||||
tsize_t outlinesize;
|
||||
int errcode = 0;
|
||||
|
||||
imax = imagelength - 1;
|
||||
jmax = imagewidth - 1;
|
||||
inputline = (unsigned char *)_TIFFmalloc(TIFFScanlineSize(in));
|
||||
thisline = (short *)_TIFFmalloc(imagewidth * sizeof (short));
|
||||
nextline = (short *)_TIFFmalloc(imagewidth * sizeof (short));
|
||||
thisline = (short *)_TIFFmalloc(TIFFSafeMultiply(tmsize_t, imagewidth, sizeof (short)));
|
||||
nextline = (short *)_TIFFmalloc(TIFFSafeMultiply(tmsize_t, imagewidth, sizeof (short)));
|
||||
outlinesize = TIFFScanlineSize(out);
|
||||
outline = (unsigned char *) _TIFFmalloc(outlinesize);
|
||||
if (! (inputline && thisline && nextline && outline)) {
|
||||
fprintf(stderr, "Out of memory.\n");
|
||||
goto skip_on_error;
|
||||
}
|
||||
|
||||
/*
|
||||
* Get first line
|
||||
@ -93,7 +99,7 @@ fsdither(TIFF* in, TIFF* out)
|
||||
nextline = tmpptr;
|
||||
lastline = (i == imax);
|
||||
if (TIFFReadScanline(in, inputline, i, 0) <= 0)
|
||||
break;
|
||||
goto skip_on_error;
|
||||
inptr = inputline;
|
||||
nextptr = nextline;
|
||||
for (j = 0; j < imagewidth; ++j)
|
||||
@ -131,13 +137,18 @@ fsdither(TIFF* in, TIFF* out)
|
||||
}
|
||||
}
|
||||
if (TIFFWriteScanline(out, outline, i-1, 0) < 0)
|
||||
break;
|
||||
goto skip_on_error;
|
||||
}
|
||||
goto exit_label;
|
||||
|
||||
skip_on_error:
|
||||
errcode = 1;
|
||||
exit_label:
|
||||
_TIFFfree(inputline);
|
||||
_TIFFfree(thisline);
|
||||
_TIFFfree(nextline);
|
||||
_TIFFfree(outline);
|
||||
return errcode;
|
||||
}
|
||||
|
||||
static uint16 compression = COMPRESSION_PACKBITS;
|
||||
|
||||
Loading…
Reference in New Issue
Block a user