From 8eb1504c3338b21be557e7340f68c9e5394b1cf2 Mon Sep 17 00:00:00 2001
From: Andrey Kiselev <dron@ak4719.spb.edu>
Date: Sun, 19 Sep 2004 10:08:38 +0000
Subject: [PATCH] Several buffer overruns fixed, as noted by Chris Evans.

---
 libtiff/tif_luv.c     | 10 +++++-----
 libtiff/tif_next.c    |  6 ++++--
 libtiff/tif_thunder.c |  8 +++++---
 3 files changed, 14 insertions(+), 10 deletions(-)

diff --git a/libtiff/tif_luv.c b/libtiff/tif_luv.c
index 60487e07..f36eb784 100644
--- a/libtiff/tif_luv.c
+++ b/libtiff/tif_luv.c
@@ -1,4 +1,4 @@
-/* $Id: tif_luv.c,v 1.10 2004-09-14 06:02:56 dron Exp $ */
+/* $Id: tif_luv.c,v 1.11 2004-09-19 10:08:38 dron Exp $ */
 
 /*
  * Copyright (c) 1997 Greg Ward Larson
@@ -214,11 +214,11 @@ LogL16Decode(TIFF* tif, tidata_t op, tsize_t occ, tsample_t s)
 				rc = *bp++ + (2-128);
 				b = (int16)(*bp++ << shft);
 				cc -= 2;
-				while (rc--)
+				while (rc-- && i < npixels)
 					tp[i++] |= b;
 			} else {			/* non-run */
 				rc = *bp++;		/* nul is noop */
-				while (--cc && rc--)
+				while (--cc && rc-- && i < npixels)
 					tp[i++] |= (int16)*bp++ << shft;
 			}
 		if (i != npixels) {
@@ -314,11 +314,11 @@ LogLuvDecode32(TIFF* tif, tidata_t op, tsize_t occ, tsample_t s)
 				rc = *bp++ + (2-128);
 				b = (uint32)*bp++ << shft;
 				cc -= 2;
-				while (rc--)
+				while (rc-- && i < npixels)
 					tp[i++] |= b;
 			} else {			/* non-run */
 				rc = *bp++;		/* nul is noop */
-				while (--cc && rc--)
+				while (--cc && rc-- && i < npixels)
 					tp[i++] |= (uint32)*bp++ << shft;
 			}
 		if (i != npixels) {
diff --git a/libtiff/tif_next.c b/libtiff/tif_next.c
index c246520c..7b7cc90e 100644
--- a/libtiff/tif_next.c
+++ b/libtiff/tif_next.c
@@ -1,4 +1,4 @@
-/* $Header: /cvs/maptools/cvsroot/libtiff/libtiff/tif_next.c,v 1.3 2003-07-08 16:40:46 warmerda Exp $ */
+/* $Id: tif_next.c,v 1.4 2004-09-19 10:08:38 dron Exp $ */
 
 /*
  * Copyright (c) 1988-1997 Sam Leffler
@@ -87,7 +87,7 @@ NeXTDecode(TIFF* tif, tidata_t buf, tsize_t occ, tsample_t s)
 			 */
 			off = (bp[0] * 256) + bp[1];
 			n = (bp[2] * 256) + bp[3];
-			if (cc < 4+n)
+			if (cc < 4+n || off+n > scanline)
 				goto bad;
 			_TIFFmemcpy(row+off, bp+4, n);
 			bp += 4+n;
@@ -140,3 +140,5 @@ TIFFInitNeXT(TIFF* tif, int scheme)
 	return (1);
 }
 #endif /* NEXT_SUPPORT */
+
+/* vim: set ts=8 sts=8 sw=8 noet: */
diff --git a/libtiff/tif_thunder.c b/libtiff/tif_thunder.c
index c7816498..a613a5ff 100644
--- a/libtiff/tif_thunder.c
+++ b/libtiff/tif_thunder.c
@@ -1,4 +1,4 @@
-/* $Id: tif_thunder.c,v 1.3 2004-09-14 06:42:55 dron Exp $ */
+/* $Id: tif_thunder.c,v 1.4 2004-09-19 10:08:38 dron Exp $ */
 
 /*
  * Copyright (c) 1988-1997 Sam Leffler
@@ -91,8 +91,10 @@ ThunderDecode(TIFF* tif, tidata_t op, tsize_t maxpixels)
 			} else
 				lastpixel |= lastpixel << 4;
 			npixels += n;
-			for (; n > 0; n -= 2)
-				*op++ = (tidataval_t) lastpixel;
+			if (npixels < maxpixels) {
+				for (; n > 0; n -= 2)
+					*op++ = (tidataval_t) lastpixel;
+			}
 			if (n == -1)
 				*--op &= 0xf0;
 			lastpixel &= 0xf;