Commit 9171da59 authored by Nathan Baker's avatar Nathan Baker Committed by Olivier Paquet

Add workaround to pal2rgb buffer overflow.

parent 070abb3a
......@@ -182,8 +182,21 @@ main(int argc, char* argv[])
{ unsigned char *ibuf, *obuf;
register unsigned char* pp;
register uint32 x;
ibuf = (unsigned char*)_TIFFmalloc(TIFFScanlineSize(in));
obuf = (unsigned char*)_TIFFmalloc(TIFFScanlineSize(out));
tmsize_t tss_in = TIFFScanlineSize(in);
tmsize_t tss_out = TIFFScanlineSize(out);
if (tss_out / tss_in < 3) {
/*
* BUG 2750: The following code does not know about chroma
* subsampling of JPEG data. It assumes that the output buffer is 3x
* the length of the input buffer due to exploding the palette into
* RGB tuples. If this assumption is incorrect, it could lead to a
* buffer overflow. Go ahead and fail now to prevent that.
*/
fprintf(stderr, "Could not determine correct image size for output. Exiting.\n");
return -1;
}
ibuf = (unsigned char*)_TIFFmalloc(tss_in);
obuf = (unsigned char*)_TIFFmalloc(tss_out);
switch (config) {
case PLANARCONFIG_CONTIG:
for (row = 0; row < imagelength; row++) {
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment