https://github.com/libsdl-org/libtiff/commit/4b73a6e6cb1bc3c668605c9b493c8f8a71924989
From 4b73a6e6cb1bc3c668605c9b493c8f8a71924989 Mon Sep 17 00:00:00 2001
From: Lee Howard <[EMAIL REDACTED]>
Date: Sat, 11 Dec 2010 19:16:26 +0000
Subject: [PATCH] 2010-12-08 Lee Howard <faxguy@howardsilvan.com>
* libtiff/tif_ojpeg.c: fix crash when reading a TIFF with a zero
or missing byte-count tag
* tools/tiffsplit.c: abort when reading a TIFF without a byte-count
per http://bugzilla.maptools.org/show_bug.cgi?id=1996
---
ChangeLog | 7 +++++++
libtiff/tif_ojpeg.c | 8 +++++++-
tools/tiffsplit.c | 12 +++++++++---
3 files changed, 23 insertions(+), 4 deletions(-)
diff --git a/ChangeLog b/ChangeLog
index 60ef7481..2c92f577 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,10 @@
+2010-12-08 Lee Howard <faxguy@howardsilvan.com>
+
+ * libtiff/tif_ojpeg.c: fix crash when reading a TIFF with a zero
+ or missing byte-count tag
+ * tools/tiffsplit.c: abort when reading a TIFF without a byte-count
+ per http://bugzilla.maptools.org/show_bug.cgi?id=1996
+
2010-12-08 Lee Howard <faxguy@howardsilvan.com>
* libtiff/tif_dirread.c: fix crash when reading a badly-constructed
diff --git a/libtiff/tif_ojpeg.c b/libtiff/tif_ojpeg.c
index 9ae856cf..c481a0b0 100644
--- a/libtiff/tif_ojpeg.c
+++ b/libtiff/tif_ojpeg.c
@@ -1,4 +1,4 @@
-/* $Id: tif_ojpeg.c,v 1.24.2.6 2010-06-08 23:29:51 bfriesen Exp $ */
+/* $Id: tif_ojpeg.c,v 1.24.2.7 2010-12-11 19:16:26 faxguy Exp $ */
/* WARNING: The type of JPEG encapsulation defined by the TIFF Version 6.0
specification is now totally obsolete and deprecated for new applications and
@@ -1918,8 +1918,14 @@ OJPEGReadBufferFill(OJPEGState* sp)
{
if (sp->in_buffer_file_pos>=sp->file_size)
sp->in_buffer_file_pos=0;
+ else if (sp->tif->tif_dir.td_stripbytecount==NULL)
+ sp->in_buffer_file_togo=sp->file_size-sp->in_buffer_file_pos;
else
{
+ if (sp->tif->tif_dir.td_stripbytecount == 0) {
+ TIFFErrorExt(sp->tif->tif_clientdata,sp->tif->tif_name,"Strip byte counts are missing");
+ return(0);
+ }
sp->in_buffer_file_togo=sp->tif->tif_dir.td_stripbytecount[sp->in_buffer_next_strile];
if (sp->in_buffer_file_togo==0)
sp->in_buffer_file_pos=0;
diff --git a/tools/tiffsplit.c b/tools/tiffsplit.c
index 58288cdb..4e4aa313 100644
--- a/tools/tiffsplit.c
+++ b/tools/tiffsplit.c
@@ -1,4 +1,4 @@
-/* $Id: tiffsplit.c,v 1.14.2.4 2010-06-08 18:50:44 bfriesen Exp $ */
+/* $Id: tiffsplit.c,v 1.14.2.5 2010-12-11 19:16:26 faxguy Exp $ */
/*
* Copyright (c) 1992-1997 Sam Leffler
@@ -237,7 +237,10 @@ cpStrips(TIFF* in, TIFF* out)
tstrip_t s, ns = TIFFNumberOfStrips(in);
uint32 *bytecounts;
- TIFFGetField(in, TIFFTAG_STRIPBYTECOUNTS, &bytecounts);
+ if (!TIFFGetField(in, TIFFTAG_STRIPBYTECOUNTS, &bytecounts)) {
+ fprintf(stderr, "tiffsplit: strip byte counts are missing\n");
+ return (0);
+ }
for (s = 0; s < ns; s++) {
if (bytecounts[s] > (uint32)bufsize) {
buf = (unsigned char *)_TIFFrealloc(buf, bytecounts[s]);
@@ -267,7 +270,10 @@ cpTiles(TIFF* in, TIFF* out)
ttile_t t, nt = TIFFNumberOfTiles(in);
uint32 *bytecounts;
- TIFFGetField(in, TIFFTAG_TILEBYTECOUNTS, &bytecounts);
+ if (!TIFFGetField(in, TIFFTAG_TILEBYTECOUNTS, &bytecounts)) {
+ fprintf(stderr, "tiffsplit: tile byte counts are missing\n");
+ return (0);
+ }
for (t = 0; t < nt; t++) {
if (bytecounts[t] > (uint32) bufsize) {
buf = (unsigned char *)_TIFFrealloc(buf, bytecounts[t]);