From 916c1a4f8b0a4d6f4136d0b2edc2b14bd2c711a9 Mon Sep 17 00:00:00 2001 From: Thomas Bernard Date: Wed, 18 Nov 2020 01:47:11 +0100 Subject: [PATCH] tiffcrop: fix buffer overrun in extractContigSamples24bits() fixes #113 --- tools/tiffcrop.c | 20 ++++++++++++++++++-- 1 file changed, 18 insertions(+), 2 deletions(-) diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c index 64a73a7a..d20b585a 100644 --- a/tools/tiffcrop.c +++ b/tools/tiffcrop.c @@ -3035,9 +3035,25 @@ extractContigSamples24bits (uint8 *in, uint8 *out, uint32 cols, src = in + src_byte; matchbits = maskbits << (32 - src_bit - bps); if (little_endian) - buff1 = (src[0] << 24) | (src[1] << 16) | (src[2] << 8) | src[3]; + { + buff1 = (src[0] << 24); + if (matchbits & 0x00ff0000) + buff1 |= (src[1] << 16); + if (matchbits & 0x0000ff00) + buff1 |= (src[2] << 8); + if (matchbits & 0x000000ff) + buff1 |= src[3]; + } else - buff1 = (src[3] << 24) | (src[2] << 16) | (src[1] << 8) | src[0]; + { + buff1 = src[0]; + if (matchbits & 0x0000ff00) + buff1 |= (src[1] << 8); + if (matchbits & 0x00ff0000) + buff1 |= (src[2] << 16); + if (matchbits & 0xff000000) + buff1 |= (src[3] << 24); + } buff1 = (buff1 & matchbits) << (src_bit); if (ready_bits < 16) /* add another bps bits to the buffer */