* tools/tiff2pdf.c: fix write buffer overflow of 2 bytes on JPEG

compressed images. Reported by Tyler Bohan of Cisco Talos as
TALOS-CAN-0187 / CVE-2016-5652.
Also prevents writing 2 extra uninitialized bytes to the file stream.

ChangeLog

@@ -1,3 +1,10 @@
+2016-10-09 Even Rouault <even.rouault at spatialys.com>
+
+	* tools/tiff2pdf.c: fix write buffer overflow of 2 bytes on JPEG
+	compressed images. Reported by Tyler Bohan of Cisco Talos as
+	TALOS-CAN-0187 / CVE-2016-5652.
+	Also prevents writing 2 extra uninitialized bytes to the file stream.
+
 2016-10-08 Even Rouault <even.rouault at spatialys.com>
 
 	* tools/tiffcp.c: fix out-of-bounds write on tiled images with odd

tools/tiff2pdf.c

@@ -2887,21 +2887,24 @@ tsize_t t2p_readwrite_pdf_image_tile(T2P* t2p, TIFF* input, TIFF* output, ttile_
 				return(0);
 			}
 			if(TIFFGetField(input, TIFFTAG_JPEGTABLES, &count, &jpt) != 0) {
-				if (count >= 2) {
-					_TIFFmemcpy(buffer, jpt, count);
+				if (count >= 4) {
+                    /* Ignore EOI marker of JpegTables */
+					_TIFFmemcpy(buffer, jpt, count - 2);
 					bufferoffset += count - 2;
+                    /* Store last 2 bytes of the JpegTables */
 					table_end[0] = buffer[bufferoffset-2];
 					table_end[1] = buffer[bufferoffset-1];
-				}
-				if (count >= 2) {
 					xuint32 = bufferoffset;
+                    bufferoffset -= 2;
 					bufferoffset += TIFFReadRawTile(
 						input, 
 						tile, 
-						(tdata_t) &(((unsigned char*)buffer)[bufferoffset-2]), 
+						(tdata_t) &(((unsigned char*)buffer)[bufferoffset]), 
 						-1);
-						buffer[xuint32-2]=table_end[0];
-						buffer[xuint32-1]=table_end[1];
+                    /* Overwrite SOI marker of image scan with previously */
+                    /* saved end of JpegTables */
+					buffer[xuint32-2]=table_end[0];
+					buffer[xuint32-1]=table_end[1];
 				} else {
 					bufferoffset += TIFFReadRawTile(
 						input,