* tools/tiff2ps.c: fix 2 heap-based buffer overflows (in PSDataBW

and PSDataColorContig). Reported by Agostino Sarubbo. Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2633 and http://bugzilla.maptools.org/show_bug.cgi?id=2634.
vadz · Dec 17, 2016 · 5ed9fea · 5ed9fea
1 parent f3069a5
commit 5ed9fea
Show file tree

Hide file tree

Showing 2 changed files with 13 additions and 1 deletion.
diff --git a/ChangeLog b/ChangeLog
@@ -1,3 +1,10 @@
+2016-12-17 Even Rouault <even.rouault at spatialys.com>
+
+	* tools/tiff2ps.c: fix 2 heap-based buffer overflows (in PSDataBW
+	and PSDataColorContig). Reported by Agostino Sarubbo.
+	Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2633 and
+	http://bugzilla.maptools.org/show_bug.cgi?id=2634.
+
 2016-12-13 Even Rouault <even.rouault at spatialys.com>
 
 	* libtiff/tif_fax3.h: revert change done on 2016-01-09 that made

diff --git a/tools/tiff2ps.c b/tools/tiff2ps.c
@@ -2440,6 +2440,11 @@ PSDataColorContig(FILE* fd, TIFF* tif, uint32 w, uint32 h, int nc)
 	unsigned char *cp, c;
 
 	(void) w;
+        if( es <= 0 )
+        {
+            TIFFError(filename, "Inconsistent value of es: %d", es);
+            return;
+        }
 	tf_buf = (unsigned char *) _TIFFmalloc(tf_bytesperrow);
 	if (tf_buf == NULL) {
 		TIFFError(filename, "No space for scanline buffer");
@@ -2692,7 +2697,7 @@ PSDataBW(FILE* fd, TIFF* tif, uint32 w, uint32 h)
 
 			if (alpha) {
 				int adjust;
-				while (cc-- > 0) {
+				while (cc-- > 1) {
 					DOBREAK(breaklen, 1, fd);
 					/*
 					 * For images with alpha, matte against