diff --git a/libtiff/tif_fax3.c b/libtiff/tif_fax3.c index 0af438ce..a64ec0f1 100644 --- a/libtiff/tif_fax3.c +++ b/libtiff/tif_fax3.c @@ -1,4 +1,4 @@ -/* $Id: tif_fax3.c,v 1.41 2006-06-08 11:33:00 dron Exp $ */ +/* $Id: tif_fax3.c,v 1.42 2006-09-28 16:26:03 dron Exp $ */ /* * Copyright (c) 1990-1997 Sam Leffler @@ -1138,6 +1138,7 @@ static int Fax3VSetField(TIFF* tif, ttag_t tag, va_list ap) { Fax3BaseState* sp = Fax3State(tif); + const TIFFFieldInfo* fip; assert(sp != 0); assert(sp->vsetparent != 0); @@ -1145,10 +1146,10 @@ Fax3VSetField(TIFF* tif, ttag_t tag, va_list ap) switch (tag) { case TIFFTAG_FAXMODE: sp->mode = va_arg(ap, int); - return (1); /* NB: pseudo tag */ + return 1; /* NB: pseudo tag */ case TIFFTAG_FAXFILLFUNC: DecoderState(tif)->fill = va_arg(ap, TIFFFaxFillFunc); - return (1); /* NB: pseudo tag */ + return 1; /* NB: pseudo tag */ case TIFFTAG_GROUP3OPTIONS: /* XXX: avoid reading options if compression mismatches. */ if (tif->tif_dir.td_compression == COMPRESSION_CCITTFAX3) @@ -1183,9 +1184,14 @@ Fax3VSetField(TIFF* tif, ttag_t tag, va_list ap) default: return (*sp->vsetparent)(tif, tag, ap); } - TIFFSetFieldBit(tif, _TIFFFieldWithTag(tif, tag)->field_bit); + + if ((fip = _TIFFFieldWithTag(tif, tag))) + TIFFSetFieldBit(tif, fip->field_bit); + else + return 0; + tif->tif_flags |= TIFF_DIRTYDIRECT; - return (1); + return 1; } static int diff --git a/libtiff/tif_next.c b/libtiff/tif_next.c index a87174a1..edaa9493 100644 --- a/libtiff/tif_next.c +++ b/libtiff/tif_next.c @@ -1,4 +1,4 @@ -/* $Id: tif_next.c,v 1.6 2005-12-21 12:23:13 joris Exp $ */ +/* $Id: tif_next.c,v 1.7 2006-09-28 16:26:03 dron Exp $ */ /* * Copyright (c) 1988-1997 Sam Leffler @@ -99,17 +99,21 @@ NeXTDecode(TIFF* tif, tidata_t buf, tsize_t occ, tsample_t s) unsigned long imagewidth = tif->tif_dir.td_imagewidth; /* - * The scanline is composed of a sequence - * of constant color ``runs''. We shift - * into ``run mode'' and interpret bytes - * as codes of the form - * until we've filled the scanline. + * The scanline is composed of a sequence of constant + * color ``runs''. We shift into ``run mode'' and + * interpret bytes as codes of the form + * until we've filled the scanline. */ op = row; for (;;) { grey = (n>>6) & 0x3; n &= 0x3f; - while (n-- > 0) + /* + * Ensure the run does not exceed the scanline + * bounds, potentially resulting in a security + * issue. + */ + while (n-- > 0 && npixels < imagewidth) SETPIXEL(op, grey); if (npixels >= (int) imagewidth) break; diff --git a/libtiff/tif_pixarlog.c b/libtiff/tif_pixarlog.c index 016f9cd6..257ebd35 100644 --- a/libtiff/tif_pixarlog.c +++ b/libtiff/tif_pixarlog.c @@ -1,4 +1,4 @@ -/* $Id: tif_pixarlog.c,v 1.14 2006-03-16 12:38:24 dron Exp $ */ +/* $Id: tif_pixarlog.c,v 1.15 2006-09-28 16:26:03 dron Exp $ */ /* * Copyright (c) 1996-1997 Sam Leffler @@ -327,7 +327,7 @@ horizontalAccumulate11(uint16 *wp, int n, int stride, uint16 *op) while (n > 0) { REPEAT(stride, wp[stride] += *wp; *op = *wp&mask; wp++; op++) - n -= stride; + n -= stride; } } } @@ -768,6 +768,18 @@ PixarLogDecode(TIFF* tif, tidata_t op, tsize_t occ, tsample_t s) if (tif->tif_flags & TIFF_SWAB) TIFFSwabArrayOfShort(up, nsamples); + /* + * if llen is not an exact multiple of nsamples, the decode operation + * may overflow the output buffer, so truncate it enough to prevent + * that but still salvage as much data as possible. + */ + if (nsamples % llen) { + TIFFWarningExt(tif->tif_clientdata, module, + "%s: stride %lu is not a multiple of sample count, " + "%lu, data truncated.", tif->tif_name, llen, nsamples); + nsamples -= nsamples % llen; + } + for (i = 0; i < nsamples; i += llen, up += llen) { switch (sp->user_datafmt) { case PIXARLOGDATAFMT_FLOAT: @@ -1036,7 +1048,7 @@ PixarLogEncode(TIFF* tif, tidata_t bp, tsize_t cc, tsample_t s) TIFFDirectory *td = &tif->tif_dir; PixarLogState *sp = EncoderState(tif); static const char module[] = "PixarLogEncode"; - int i, n, llen; + int i, n, llen; unsigned short * up; (void) s;