https://github.com/libsdl-org/libtiff/commit/9eab3e3e02cae1eca3305221d7a9a34130281312
From 9eab3e3e02cae1eca3305221d7a9a34130281312 Mon Sep 17 00:00:00 2001
From: Frank Warmerdam <[EMAIL REDACTED]>
Date: Sun, 13 Jun 2010 19:18:41 +0000
Subject: [PATCH] various fixes for tiff2pdf (#2211)
---
ChangeLog | 9 +++++++++
tools/tiff2pdf.c | 17 +++++++++--------
2 files changed, 18 insertions(+), 8 deletions(-)
diff --git a/ChangeLog b/ChangeLog
index 809be972..47c364e4 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,12 @@
+2010-06-13 Frank Warmerdam <warmerdam@pobox.com>
+
+ * tiff2pdf.c: Fix assorted bugs in tiff2pdf: missing "return"
+ in t2p_read_tiff_size() causes t2p->tiff_datasize to be set entirely
+ wrong for COMPRESSION_JPEG case, resulting in memory stomp if actual
+ size is larger. Also, there are a bunch of places that try to
+ memset() a malloc'd buffer before checking for malloc failure, which
+ would result in core dump if there actually were a failure. (#2211)
+
2010-06-11 Bob Friesenhahn <bfriesen@simple.dallas.tx.us>
* tools/tiff2rgba.c: Applied portion of patch (from Tom Lane)
diff --git a/tools/tiff2pdf.c b/tools/tiff2pdf.c
index 80d8c77e..b1886c6d 100644
--- a/tools/tiff2pdf.c
+++ b/tools/tiff2pdf.c
@@ -1,4 +1,4 @@
-/* $Id: tiff2pdf.c,v 1.37.2.9 2010-06-08 18:50:44 bfriesen Exp $
+/* $Id: tiff2pdf.c,v 1.37.2.10 2010-06-13 19:18:41 fwarmerdam Exp $
*
* tiff2pdf - converts a TIFF image to a PDF document
*
@@ -1913,6 +1913,7 @@ void t2p_read_tiff_size(T2P* t2p, TIFF* input){
t2p->tiff_datasize -=4; /* don't use SOI or EOI of strip */
}
t2p->tiff_datasize +=2; /* use EOI of last strip */
+ return;
}
#endif
(void) 0;
@@ -2100,7 +2101,6 @@ tsize_t t2p_readwrite_pdf_image(T2P* t2p, TIFF* input, TIFF* output){
if (t2p->pdf_compression == T2P_COMPRESS_ZIP) {
buffer = (unsigned char*)
_TIFFmalloc(t2p->tiff_datasize);
- memset(buffer, 0, t2p->tiff_datasize);
if(buffer == NULL){
TIFFError(TIFF2PDF_MODULE,
"Can't allocate %u bytes of memory for t2p_readwrite_pdf_image, %s",
@@ -2109,6 +2109,7 @@ tsize_t t2p_readwrite_pdf_image(T2P* t2p, TIFF* input, TIFF* output){
t2p->t2p_error = T2P_ERR_ERROR;
return(0);
}
+ memset(buffer, 0, t2p->tiff_datasize);
TIFFReadRawStrip(input, 0, (tdata_t) buffer,
t2p->tiff_datasize);
if (t2p->tiff_fillorder==FILLORDER_LSB2MSB) {
@@ -2127,7 +2128,6 @@ tsize_t t2p_readwrite_pdf_image(T2P* t2p, TIFF* input, TIFF* output){
if(t2p->tiff_dataoffset != 0) {
buffer = (unsigned char*)
_TIFFmalloc(t2p->tiff_datasize);
- memset(buffer, 0, t2p->tiff_datasize);
if(buffer == NULL) {
TIFFError(TIFF2PDF_MODULE,
"Can't allocate %u bytes of memory for t2p_readwrite_pdf_image, %s",
@@ -2136,6 +2136,7 @@ tsize_t t2p_readwrite_pdf_image(T2P* t2p, TIFF* input, TIFF* output){
t2p->t2p_error = T2P_ERR_ERROR;
return(0);
}
+ memset(buffer, 0, t2p->tiff_datasize);
if(t2p->pdf_ojpegiflength==0){
inputoffset=t2pSeekFile(input, 0,
SEEK_CUR);
@@ -2203,7 +2204,6 @@ tsize_t t2p_readwrite_pdf_image(T2P* t2p, TIFF* input, TIFF* output){
}
buffer = (unsigned char*)
_TIFFmalloc(t2p->tiff_datasize);
- memset(buffer, 0, t2p->tiff_datasize);
if(buffer==NULL){
TIFFError(TIFF2PDF_MODULE,
"Can't allocate %u bytes of memory for t2p_readwrite_pdf_image, %s",
@@ -2212,6 +2212,7 @@ tsize_t t2p_readwrite_pdf_image(T2P* t2p, TIFF* input, TIFF* output){
t2p->t2p_error = T2P_ERR_ERROR;
return(0);
}
+ memset(buffer, 0, t2p->tiff_datasize);
_TIFFmemcpy(buffer, t2p->pdf_ojpegdata, t2p->pdf_ojpegdatalength);
bufferoffset=t2p->pdf_ojpegdatalength;
stripcount=TIFFNumberOfStrips(input);
@@ -2246,7 +2247,6 @@ tsize_t t2p_readwrite_pdf_image(T2P* t2p, TIFF* input, TIFF* output){
uint32 count = 0;
buffer = (unsigned char*)
_TIFFmalloc(t2p->tiff_datasize);
- memset(buffer, 0, t2p->tiff_datasize);
if(buffer==NULL){
TIFFError(TIFF2PDF_MODULE,
"Can't allocate %u bytes of memory for t2p_readwrite_pdf_image, %s",
@@ -2255,6 +2255,7 @@ tsize_t t2p_readwrite_pdf_image(T2P* t2p, TIFF* input, TIFF* output){
t2p->t2p_error = T2P_ERR_ERROR;
return(0);
}
+ memset(buffer, 0, t2p->tiff_datasize);
if (TIFFGetField(input, TIFFTAG_JPEGTABLES, &count, &jpt) != 0) {
if(count > 4) {
_TIFFmemcpy(buffer, jpt, count);
@@ -2308,7 +2309,6 @@ tsize_t t2p_readwrite_pdf_image(T2P* t2p, TIFF* input, TIFF* output){
if(t2p->pdf_sample==T2P_SAMPLE_NOTHING){
buffer = (unsigned char*) _TIFFmalloc(t2p->tiff_datasize);
- memset(buffer, 0, t2p->tiff_datasize);
if(buffer==NULL){
TIFFError(TIFF2PDF_MODULE,
"Can't allocate %u bytes of memory for t2p_readwrite_pdf_image, %s",
@@ -2317,6 +2317,7 @@ tsize_t t2p_readwrite_pdf_image(T2P* t2p, TIFF* input, TIFF* output){
t2p->t2p_error = T2P_ERR_ERROR;
return(0);
}
+ memset(buffer, 0, t2p->tiff_datasize);
stripsize=TIFFStripSize(input);
stripcount=TIFFNumberOfStrips(input);
for(i=0;i<stripcount;i++){
@@ -2346,7 +2347,6 @@ tsize_t t2p_readwrite_pdf_image(T2P* t2p, TIFF* input, TIFF* output){
stripcount=sepstripcount/t2p->tiff_samplesperpixel;
buffer = (unsigned char*) _TIFFmalloc(t2p->tiff_datasize);
- memset(buffer, 0, t2p->tiff_datasize);
if(buffer==NULL){
TIFFError(TIFF2PDF_MODULE,
"Can't allocate %u bytes of memory for t2p_readwrite_pdf_image, %s",
@@ -2355,6 +2355,7 @@ tsize_t t2p_readwrite_pdf_image(T2P* t2p, TIFF* input, TIFF* output){
t2p->t2p_error = T2P_ERR_ERROR;
return(0);
}
+ memset(buffer, 0, t2p->tiff_datasize);
samplebuffer = (unsigned char*) _TIFFmalloc(stripsize);
if(samplebuffer==NULL){
TIFFError(TIFF2PDF_MODULE,
@@ -2395,7 +2396,6 @@ tsize_t t2p_readwrite_pdf_image(T2P* t2p, TIFF* input, TIFF* output){
}
buffer = (unsigned char*) _TIFFmalloc(t2p->tiff_datasize);
- memset(buffer, 0, t2p->tiff_datasize);
if(buffer==NULL){
TIFFError(TIFF2PDF_MODULE,
"Can't allocate %u bytes of memory for t2p_readwrite_pdf_image, %s",
@@ -2404,6 +2404,7 @@ tsize_t t2p_readwrite_pdf_image(T2P* t2p, TIFF* input, TIFF* output){
t2p->t2p_error = T2P_ERR_ERROR;
return(0);
}
+ memset(buffer, 0, t2p->tiff_datasize);
stripsize=TIFFStripSize(input);
stripcount=TIFFNumberOfStrips(input);
for(i=0;i<stripcount;i++){