cheng/libtiff
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

tiffcrop.c: fix invertImage() for bps 2 and 4

Browse Source 
too much bytes were processed, causing a heap buffer overrun
    http://bugzilla.maptools.org/show_bug.cgi?id=2831
the loop counter must be
    for (col = 0; col < width; col += 8 / bps)

Also the values were not properly calculated. It should be
255-x, 15-x, 3-x for bps 8, 4, 2.

But anyway it is easyer to invert all bits as 255-x = ~x, etc.
(substracting from a binary number composed of all 1 is like inverting
the bits)
This commit is contained in:
Thomas Bernard 2019-02-11 23:08:25 +01:00
parent ae0bed1fe5
commit 9cfa5c4691
1 changed files with 6 additions and 31 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

37
tools/tiffcrop.c
View File

@ -9144,7 +9144,6 @@ static int
invertImage(uint16 photometric, uint16 spp, uint16 bps, uint32 width, uint32 length, unsigned char *work_buff)
{
uint32 row, col;
unsigned char bytebuff1, bytebuff2, bytebuff3, bytebuff4;
unsigned char *src;
uint16 *src_uint16;
uint32 *src_uint32;
@ -9174,7 +9173,7 @@ invertImage(uint16 photometric, uint16 spp, uint16 bps, uint32 width, uint32 len
for (row = 0; row < length; row++)
for (col = 0; col < width; col++)
{
*src_uint32 = (uint32)0xFFFFFFFF - *src_uint32;
*src_uint32 = ~(*src_uint32);
src_uint32++;
}
break;
@ -9182,39 +9181,15 @@ invertImage(uint16 photometric, uint16 spp, uint16 bps, uint32 width, uint32 len
for (row = 0; row < length; row++)
for (col = 0; col < width; col++)
{
*src_uint16 = (uint16)0xFFFF - *src_uint16;
*src_uint16 = ~(*src_uint16);
src_uint16++;
}
break;
case 8: for (row = 0; row < length; row++)
for (col = 0; col < width; col++)
{
*src = (uint8)255 - *src;
src++;
}
break;
case 4: for (row = 0; row < length; row++)
for (col = 0; col < width; col++)
{
bytebuff1 = 16 - (uint8)(*src & 240 >> 4);
bytebuff2 = 16 - (*src & 15);
*src = bytebuff1 << 4 & bytebuff2;
src++;
}
break;
case 2: for (row = 0; row < length; row++)
for (col = 0; col < width; col++)
{
bytebuff1 = 4 - (uint8)(*src & 192 >> 6);
bytebuff2 = 4 - (uint8)(*src & 48 >> 4);
bytebuff3 = 4 - (uint8)(*src & 12 >> 2);
bytebuff4 = 4 - (uint8)(*src & 3);
*src = (bytebuff1 << 6) | (bytebuff2 << 4) | (bytebuff3 << 2) | bytebuff4;
src++;
}
break;
case 8:
case 4:
case 2:
case 1: for (row = 0; row < length; row++)
for (col = 0; col < width; col += 8 /(spp * bps))
for (col = 0; col < width; col += 8 / bps)
{
*src = ~(*src);
src++;