cheng/libtiff
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

tiff2ps: fix heap buffer read overflow in PSDataColorContig()

Browse Source 
fixes #161 / http://bugzilla.maptools.org/show_bug.cgi?id=2855

in 05029fb7f1 I missed that 1 extra byte is read
in this loop.
This commit is contained in:
Thomas Bernard 2020-02-08 11:17:08 +01:00
parent 3334704ebc
commit ebf0864306
No known key found for this signature in database
GPG Key ID: 0FF11B67A5C0863C
1 changed files with 8 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
tools/tiff2ps.c
View File

@ -2467,8 +2467,10 @@ PSDataColorContig(FILE* fd, TIFF* tif, uint32 w, uint32 h, int nc)
} }
if (alpha) { if (alpha) {
int adjust; int adjust;
cc = 0; /*
for (; (cc + nc) <= tf_bytesperrow; cc += samplesperpixel) { * the code inside this loop reads nc bytes + 1 extra byte (for adjust)
*/
for (cc = 0; (cc + nc) < tf_bytesperrow; cc += samplesperpixel) {
DOBREAK(breaklen, nc, fd); DOBREAK(breaklen, nc, fd);
/* /*
* For images with alpha, matte against * For images with alpha, matte against
@ -2486,8 +2488,10 @@ PSDataColorContig(FILE* fd, TIFF* tif, uint32 w, uint32 h, int nc)
cp += es; cp += es;
} }
} else { } else {
cc = 0; /*
for (; (cc + nc) <= tf_bytesperrow; cc += samplesperpixel) { * the code inside this loop reads nc bytes per iteration
*/
for (cc = 0; (cc + nc) <= tf_bytesperrow; cc += samplesperpixel) {
DOBREAK(breaklen, nc, fd); DOBREAK(breaklen, nc, fd);
switch (nc) { switch (nc) {
case 4: c = *cp++; PUTHEX(c,fd); case 4: c = *cp++; PUTHEX(c,fd);