From ebf0864306f4f24ac25011cf5d752b94c897faa1 Mon Sep 17 00:00:00 2001
From: Thomas Bernard <miniupnp@free.fr>
Date: Sat, 8 Feb 2020 11:17:08 +0100
Subject: [PATCH] tiff2ps: fix heap buffer read overflow in PSDataColorContig()

fixes #161 / http://bugzilla.maptools.org/show_bug.cgi?id=2855

in 05029fb7f1ecf771abaf90b5705b6cab9eb522a7 I missed that 1 extra byte is read
in this loop.
---
 tools/tiff2ps.c | 12 ++++++++----
 1 file changed, 8 insertions(+), 4 deletions(-)

diff --git a/tools/tiff2ps.c b/tools/tiff2ps.c
index 5874aba6..31a318a8 100644
--- a/tools/tiff2ps.c
+++ b/tools/tiff2ps.c
@@ -2467,8 +2467,10 @@ PSDataColorContig(FILE* fd, TIFF* tif, uint32 w, uint32 h, int nc)
 		}
 		if (alpha) {
 			int adjust;
-			cc = 0;
-			for (; (cc + nc) <= tf_bytesperrow; cc += samplesperpixel) {
+			/*
+			 * the code inside this loop reads nc bytes + 1 extra byte (for adjust)
+			 */
+			for (cc = 0; (cc + nc) < tf_bytesperrow; cc += samplesperpixel) {
 				DOBREAK(breaklen, nc, fd);
 				/*
 				 * For images with alpha, matte against
@@ -2486,8 +2488,10 @@ PSDataColorContig(FILE* fd, TIFF* tif, uint32 w, uint32 h, int nc)
 				cp += es;
 			}
 		} else {
-			cc = 0;
-			for (; (cc + nc) <= tf_bytesperrow; cc += samplesperpixel) {
+			/*
+			 * the code inside this loop reads nc bytes per iteration
+			 */
+			for (cc = 0; (cc + nc) <= tf_bytesperrow; cc += samplesperpixel) {
 				DOBREAK(breaklen, nc, fd);
 				switch (nc) {
 				case 4: c = *cp++; PUTHEX(c,fd);