Skip to content
This repository has been archived by the owner. It is now read-only.
Permalink
Browse files

* tools/tiff2ps.c: fix 2 heap-based buffer overflows (in PSDataBW

and PSDataColorContig). Reported by Agostino Sarubbo.
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2633 and
http://bugzilla.maptools.org/show_bug.cgi?id=2634.
  • Loading branch information...
erouault
erouault committed Dec 17, 2016
1 parent f3069a5 commit 5ed9fea523316c2f5cec4d393e4d5d671c2dbc33
Showing with 13 additions and 1 deletion.
  1. +7 −0 ChangeLog
  2. +6 −1 tools/tiff2ps.c
@@ -1,3 +1,10 @@
2016-12-17 Even Rouault <even.rouault at spatialys.com>

* tools/tiff2ps.c: fix 2 heap-based buffer overflows (in PSDataBW
and PSDataColorContig). Reported by Agostino Sarubbo.
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2633 and
http://bugzilla.maptools.org/show_bug.cgi?id=2634.

2016-12-13 Even Rouault <even.rouault at spatialys.com>

* libtiff/tif_fax3.h: revert change done on 2016-01-09 that made
@@ -2440,6 +2440,11 @@ PSDataColorContig(FILE* fd, TIFF* tif, uint32 w, uint32 h, int nc)
unsigned char *cp, c;

(void) w;
if( es <= 0 )
{
TIFFError(filename, "Inconsistent value of es: %d", es);
return;
}
tf_buf = (unsigned char *) _TIFFmalloc(tf_bytesperrow);
if (tf_buf == NULL) {
TIFFError(filename, "No space for scanline buffer");
@@ -2692,7 +2697,7 @@ PSDataBW(FILE* fd, TIFF* tif, uint32 w, uint32 h)

if (alpha) {
int adjust;
while (cc-- > 0) {
while (cc-- > 1) {
DOBREAK(breaklen, 1, fd);
/*
* For images with alpha, matte against

0 comments on commit 5ed9fea

Please sign in to comment.
You can’t perform that action at this time.