cheng/libtiff
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Add workaround to pal2rgb buffer overflow.

Browse Source
This commit is contained in:
Nathan Baker 2018-01-25 21:28:15 +00:00 committed by Olivier Paquet
parent 070abb3aae
commit 9171da596c
1 changed files with 15 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

17
tools/pal2rgb.c
View File

@ -182,8 +182,21 @@ main(int argc, char* argv[])
{ unsigned char *ibuf, *obuf; { unsigned char *ibuf, *obuf;
register unsigned char* pp; register unsigned char* pp;
register uint32 x; register uint32 x;
ibuf = (unsigned char*)_TIFFmalloc(TIFFScanlineSize(in)); tmsize_t tss_in = TIFFScanlineSize(in);
obuf = (unsigned char*)_TIFFmalloc(TIFFScanlineSize(out)); tmsize_t tss_out = TIFFScanlineSize(out);
if (tss_out / tss_in < 3) {
/*
* BUG 2750: The following code does not know about chroma
* subsampling of JPEG data. It assumes that the output buffer is 3x
* the length of the input buffer due to exploding the palette into
* RGB tuples. If this assumption is incorrect, it could lead to a
* buffer overflow. Go ahead and fail now to prevent that.
*/
fprintf(stderr, "Could not determine correct image size for output. Exiting.\n");
return -1;
}
ibuf = (unsigned char*)_TIFFmalloc(tss_in);
obuf = (unsigned char*)_TIFFmalloc(tss_out);
switch (config) { switch (config) {
case PLANARCONFIG_CONTIG: case PLANARCONFIG_CONTIG:
for (row = 0; row < imagelength; row++) { for (row = 0; row < imagelength; row++) {