29 lines
968 B
Diff
29 lines
968 B
Diff
From 5397a417e61258c69209904e652a1f409ec3b9df Mon Sep 17 00:00:00 2001
|
|
From: erouault <erouault>
|
|
Date: Fri, 2 Dec 2016 22:13:32 +0000
|
|
Subject: [PATCH] * tools/tiffcp.c: avoid uint32 underflow in cpDecodedStrips
|
|
that can cause various issues, such as buffer overflows in the library.
|
|
Reported by Agostino Sarubbo. Fixes
|
|
http://bugzilla.maptools.org/show_bug.cgi?id=2598
|
|
|
|
---
|
|
tools/tiffcp.c | 2 +-
|
|
1 file changed, 1 insertion(+), 1 deletion(-)
|
|
|
|
diff --git a/tools/tiffcp.c b/tools/tiffcp.c
|
|
index a99c906..f294ed1 100644
|
|
--- a/tools/tiffcp.c
|
|
+++ b/tools/tiffcp.c
|
|
@@ -985,7 +985,7 @@ DECLAREcpFunc(cpDecodedStrips)
|
|
tstrip_t s, ns = TIFFNumberOfStrips(in);
|
|
uint32 row = 0;
|
|
_TIFFmemset(buf, 0, stripsize);
|
|
- for (s = 0; s < ns; s++) {
|
|
+ for (s = 0; s < ns && row < imagelength; s++) {
|
|
tsize_t cc = (row + rowsperstrip > imagelength) ?
|
|
TIFFVStripSize(in, imagelength - row) : stripsize;
|
|
if (TIFFReadEncodedStrip(in, s, buf, cc) < 0
|
|
--
|
|
2.7.4
|
|
|