29 lines
1.0 KiB
Diff
29 lines
1.0 KiB
Diff
|
Check that image width shown in SOF doesn't exceed what libtiff has
|
||
|
|
allocated based on ImageWidth. Patch from upstream bug
|
||
|
|
http://bugzilla.maptools.org/show_bug.cgi?id=1999
|
||
|
|
|
||
|
|
|
||
|
|
diff -Naur tiff-3.9.4.orig/libtiff/tif_ojpeg.c tiff-3.9.4/libtiff/tif_ojpeg.c
|
||
|
|
--- tiff-3.9.4.orig/libtiff/tif_ojpeg.c 2010-06-08 19:29:51.000000000 -0400
|
||
|
|
+++ tiff-3.9.4/libtiff/tif_ojpeg.c 2011-04-13 11:38:55.486008471 -0400
|
||
|
|
@@ -1537,7 +1537,6 @@
|
||
|
|
OJPEGReadSkip(sp,4);
|
||
|
|
else
|
||
|
|
{
|
||
|
|
- /* TODO: probably best to also add check on allowed upper bound, especially x, may cause buffer overflow otherwise i think */
|
||
|
|
/* Y: Number of lines */
|
||
|
|
if (OJPEGReadWord(sp,&p)==0)
|
||
|
|
return(0);
|
||
|
|
@@ -1555,6 +1554,11 @@
|
||
|
|
TIFFErrorExt(tif->tif_clientdata,module,"JPEG compressed data indicates unexpected width");
|
||
|
|
return(0);
|
||
|
|
}
|
||
|
|
+ if ((uint32)p>sp->strile_width)
|
||
|
|
+ {
|
||
|
|
+ TIFFErrorExt(tif->tif_clientdata,module,"JPEG compressed data image width exceeds expected image width");
|
||
|
|
+ return(0);
|
||
|
|
+ }
|
||
|
|
sp->sof_x=p;
|
||
|
|
}
|
||
|
|
/* Nf: Number of image components in frame */
|