Skip to content
This repository was archived by the owner on Dec 1, 2017. It is now read-only.

Commit 787c0ee

Browse files
author
erouault
committed
* tools/tiffcp.c: fix uint32 underflow/overflow that can cause heap-based
buffer overflow. Reported by Agostino Sarubbo. Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2610
1 parent 296803e commit 787c0ee

File tree

2 files changed

+10
-3
lines changed

2 files changed

+10
-3
lines changed

Diff for: ChangeLog

+7
Original file line numberDiff line numberDiff line change
@@ -1,3 +1,10 @@
1+
2016-12-03 Even Rouault <even.rouault at spatialys.com>
2+
3+
* tools/tiffcp.c: fix uint32 underflow/overflow that can cause heap-based
4+
buffer overflow.
5+
Reported by Agostino Sarubbo.
6+
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2610
7+
18
2016-12-03 Even Rouault <even.rouault at spatialys.com>
29

310
* tools/tiffcp.c: avoid potential division by zero is BitsPerSamples tag is

Diff for: tools/tiffcp.c

+3-3
Original file line numberDiff line numberDiff line change
@@ -1163,7 +1163,7 @@ DECLAREcpFunc(cpSeparate2ContigByRow)
11631163

11641164
static void
11651165
cpStripToTile(uint8* out, uint8* in,
1166-
uint32 rows, uint32 cols, int outskew, int inskew)
1166+
uint32 rows, uint32 cols, int outskew, int64 inskew)
11671167
{
11681168
while (rows-- > 0) {
11691169
uint32 j = cols;
@@ -1320,7 +1320,7 @@ DECLAREreadFunc(readContigTilesIntoBuffer)
13201320
tdata_t tilebuf;
13211321
uint32 imagew = TIFFScanlineSize(in);
13221322
uint32 tilew = TIFFTileRowSize(in);
1323-
int iskew = imagew - tilew;
1323+
int64 iskew = (int64)imagew - (int64)tilew;
13241324
uint8* bufp = (uint8*) buf;
13251325
uint32 tw, tl;
13261326
uint32 row;
@@ -1348,7 +1348,7 @@ DECLAREreadFunc(readContigTilesIntoBuffer)
13481348
status = 0;
13491349
goto done;
13501350
}
1351-
if (colb + tilew > imagew) {
1351+
if (colb > iskew) {
13521352
uint32 width = imagew - colb;
13531353
uint32 oskew = tilew - width;
13541354
cpStripToTile(bufp + colb,

0 commit comments

Comments
 (0)