35 lines
1.3 KiB
Diff
35 lines
1.3 KiB
Diff
From aac006e5796437f1729b1284fbfa506b2b730aff Mon Sep 17 00:00:00 2001
|
|
From: Su Laus <sulau@freenet.de>
|
|
Date: Sat, 19 Feb 2022 16:08:15 +0000
|
|
Subject: [PATCH] tiffcrop: buffsize check formula in loadImage() amended
|
|
(fixes #273,#275)
|
|
|
|
---
|
|
tools/tiffcrop.c | 10 ++++++++--
|
|
1 file changed, 8 insertions(+), 2 deletions(-)
|
|
|
|
diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c
|
|
index e4a08ca9..f2e5474a 100644
|
|
--- a/tools/tiffcrop.c
|
|
+++ b/tools/tiffcrop.c
|
|
@@ -6153,9 +6153,15 @@ loadImage(TIFF* in, struct image_data *image, struct dump_opts *dump, unsigned c
|
|
TIFFError("loadImage", "Integer overflow detected.");
|
|
exit(EXIT_FAILURE);
|
|
}
|
|
- if (buffsize < (uint32_t) (((length * width * spp * bps) + 7) / 8))
|
|
+ /* The buffsize_check and the possible adaptation of buffsize
|
|
+ * has to account also for padding of each line to a byte boundary.
|
|
+ * This is assumed by mirrorImage() and rotateImage().
|
|
+ * Otherwise buffer-overflow might occur there.
|
|
+ */
|
|
+ buffsize_check = length * (uint32_t)(((width * spp * bps) + 7) / 8);
|
|
+ if (buffsize < buffsize_check)
|
|
{
|
|
- buffsize = ((length * width * spp * bps) + 7) / 8;
|
|
+ buffsize = buffsize_check;
|
|
#ifdef DEBUG2
|
|
TIFFError("loadImage",
|
|
"Stripsize %"PRIu32" is too small, using imagelength * width * spp * bps / 8 = %"PRIu32,
|
|
--
|
|
GitLab
|