Allocate working buffer one word larger since we "forward accumulate" and overwrite the end by one word in at least some cases.

This commit is contained in:
Frank Warmerdam 2012-05-24 23:21:45 +00:00
parent c6d8cdcf29
commit bcc1656171
2 changed files with 8 additions and 3 deletions

View File

@ -1,3 +1,8 @@
2012-05-24 Frank Warmerdam <warmerdam@google.com>
* libtiff/tif_pixarlog.c: Allocate working buffer one word larger since we "forward
accumulate" and overwrite the end by one word in at least some cases.
2012-05-23 Frank Warmerdam <warmerdam@google.com>
* libtiff/tif_pixarlog.c: avoid accessing out of the lookup arrays for out of range inputs.

View File

@ -1,4 +1,4 @@
/* $Id: tif_pixarlog.c,v 1.36 2012-05-24 05:25:14 fwarmerdam Exp $ */
/* $Id: tif_pixarlog.c,v 1.37 2012-05-24 23:21:45 fwarmerdam Exp $ */
/*
* Copyright (c) 1996-1997 Sam Leffler
@ -673,7 +673,7 @@ PixarLogSetupDecode(TIFF* tif)
td->td_rowsperstrip), sizeof(uint16));
if (tbuf_size == 0)
return (0); /* TODO: this is an error return without error report through TIFFErrorExt */
sp->tbuf = (uint16 *) _TIFFmalloc(tbuf_size);
sp->tbuf = (uint16 *) _TIFFmalloc(tbuf_size+sizeof(uint16));
if (sp->tbuf == NULL)
return (0);
if (sp->user_datafmt == PIXARLOGDATAFMT_UNKNOWN)