This repository was archived by the owner on Dec 1, 2017. It is now read-only.
File tree 2 files changed +10
-3
lines changed
2 files changed +10
-3
lines changed Original file line number Diff line number Diff line change 1+ 2016-12-03 Even Rouault <even.rouault at spatialys.com>
2+
3+ * tools/tiffcp.c: fix uint32 underflow/overflow that can cause heap-based
4+ buffer overflow.
5+ Reported by Agostino Sarubbo.
6+ Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2610
7+
182016-12-03 Even Rouault <even.rouault at spatialys.com>
29
310 * tools/tiffcp.c: avoid potential division by zero is BitsPerSamples tag is
Original file line number Diff line number Diff line change @@ -1163,7 +1163,7 @@ DECLAREcpFunc(cpSeparate2ContigByRow)
11631163
11641164static void
11651165cpStripToTile (uint8 * out , uint8 * in ,
1166- uint32 rows , uint32 cols , int outskew , int inskew )
1166+ uint32 rows , uint32 cols , int outskew , int64 inskew )
11671167{
11681168 while (rows -- > 0 ) {
11691169 uint32 j = cols ;
@@ -1320,7 +1320,7 @@ DECLAREreadFunc(readContigTilesIntoBuffer)
13201320 tdata_t tilebuf ;
13211321 uint32 imagew = TIFFScanlineSize (in );
13221322 uint32 tilew = TIFFTileRowSize (in );
1323- int iskew = imagew - tilew ;
1323+ int64 iskew = ( int64 ) imagew - ( int64 ) tilew ;
13241324 uint8 * bufp = (uint8 * ) buf ;
13251325 uint32 tw , tl ;
13261326 uint32 row ;
@@ -1348,7 +1348,7 @@ DECLAREreadFunc(readContigTilesIntoBuffer)
13481348 status = 0 ;
13491349 goto done ;
13501350 }
1351- if (colb + tilew > imagew ) {
1351+ if (colb > iskew ) {
13521352 uint32 width = imagew - colb ;
13531353 uint32 oskew = tilew - width ;
13541354 cpStripToTile (bufp + colb ,
You can’t perform that action at this time.
0 commit comments