- 2014.12.27 22:30 "[Tiff] [PATCH] tiff2pdf fixes for grayscale (min-is-white/black) and alpha", by Yuriy M. Kaminskiy
- 2014.12.29 22:29 "[Tiff] [PATCH] Signal error on unsupported sample/bit-depth in jbig codec instead of silently producing garbage", by Yuriy M. Kaminskiy
-
2014.12.30 20:41 "[Tiff] [PATCH] tif_luv, tif_pixarlog, ppm2tiff: get rid of duplicates of TIFFSafeMultiply", by Yuriy M. Kaminskiy
-
2014.12.30 20:55 "Re: [Tiff] [PATCH] tif_luv, tif_pixarlog, ppm2tiff: get rid of duplicates of TIFFSafeMultiply", by Jürgen_Buchmüller
- 2014.12.30 21:45 "Re: [Tiff] [PATCH] tif_luv, tif_pixarlog, ppm2tiff: get rid of duplicates of TIFFSafeMultiply", by Yuriy M. Kaminskiy
- 2014.12.31 14:33 "Re: [Tiff] [PATCH] tif_luv, tif_pixarlog, ppm2tiff: get rid of duplicates of TIFFSafeMultiply", by Olivier Paquet
- 2015.01.04 23:02 "Re: [Tiff] [PATCH] tif_luv, tif_pixarlog, ppm2tiff: get rid of duplicates of TIFFSafeMultiply", by Yuriy M. Kaminskiy
- 2014.12.31 09:36 "Re: [Tiff] [PATCH] tif_luv, tif_pixarlog, ppm2tiff: get rid of duplicates of TIFFSafeMultiply", by Jürgen_Buchmüller
-
2014.12.30 20:55 "Re: [Tiff] [PATCH] tif_luv, tif_pixarlog, ppm2tiff: get rid of duplicates of TIFFSafeMultiply", by Jürgen_Buchmüller
- 2015.01.25 16:56 "[Tiff] [security][PATCH] tiff2pdf: fix snprintf return value misuse", by Yuriy M. Kaminskiy
2015.01.25 16:56 "[Tiff] [security][PATCH] tiff2pdf: fix snprintf return value misuse", by Yuriy M. Kaminskiy
There are a lot of code like this:
buflen=snprintf(buffer, sizeof(buffer), "%lu", (unsigned long)number);
written += t2pWriteFile(output, (tdata_t) buffer, buflen );
in tiff2pdf. This is seriously broken: when formatted string is larger than
buffer, snprintf return value is >= sizeof(buffer) [current standard] or -1
[legacy]. And in case of other errors, snprintf returns -1.
Both would result in reading unallocated memory and possible SIGSEGV (DoS).
I doubt it can be really exploitable (to begin with, in most cases buffer was
large enough and sprintf->snprintf change was pure paranoia, IMO), but /if/ you
decided previous code was not safe and snprintf is necessary, /then/ you MUST
check its return value.
PS no reaction to private message -> reposting publicly with 1 month delay
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
NotDashEscaped: You need GnuPG to verify this message
From: Yuriy M. Kaminskiy <yumkam@gmail.com>
Subject: [security] tiff2pdf: fix snprintf return value misuse
When snprintf would result in buffer overrun, it returns value equal or larger than buffer size (modern/standard), or return -1 (older implementation).
Check snprintf return value before use.
Index: tiff-4.0.x-20141215/tools/tiff2pdf.c
===================================================================
--- tiff-4.0.x-20141215.orig/tools/tiff2pdf.c 2014-12-28 05:19:57.888095939 +0300
+++ tiff-4.0.x-20141215/tools/tiff2pdf.c 2014-12-28 05:37:55.772097683 +0300
@@ -337,6 +337,13 @@ tsize_t t2p_write_pdf_xobject_stream_fil
tsize_t t2p_write_pdf_xreftable(T2P*, TIFF*);
tsize_t t2p_write_pdf_trailer(T2P*, TIFF*);
+#define check_snprintf_ret(t2p, rv, buf) do { \
+ if ((rv) < 0) rv = 0; \
+ else if((rv) >= (int)sizeof(buf)) (rv) = sizeof(buf) - 1; \
+ else break; \
+ if ((t2p) != NULL) (t2p)->t2p_error = T2P_ERR_ERROR; \
+} while(0)
+
static void
t2p_disable(TIFF *tif)
{
@@ -3753,6 +3760,7 @@ tsize_t t2p_write_pdf_header(T2P* t2p, T
buflen = snprintf(buffer, sizeof(buffer), "%%PDF-%u.%u ",
t2p->pdf_majorversion&0xff,
t2p->pdf_minorversion&0xff);
+ check_snprintf_ret(t2p, buflen, buffer);
written += t2pWriteFile(output, (tdata_t) buffer, buflen);
written += t2pWriteFile(output, (tdata_t)"\n%\342\343\317\323\n", 7);
@@ -3770,6 +3778,7 @@ tsize_t t2p_write_pdf_obj_start(uint32 n
int buflen=0;
buflen=snprintf(buffer, sizeof(buffer), "%lu", (unsigned long)number);
+ check_snprintf_ret((T2P*)NULL, buflen, buffer);
written += t2pWriteFile(output, (tdata_t) buffer, buflen );
written += t2pWriteFile(output, (tdata_t) " 0 obj\n", 7);
@@ -3995,6 +4004,7 @@ tsize_t t2p_write_pdf_stream_dict(tsize_
written += t2p_write_pdf_stream_length(len, output);
} else {
buflen=snprintf(buffer, sizeof(buffer), "%lu", (unsigned long)number);
+ check_snprintf_ret((T2P*)NULL, buflen, buffer);
written += t2pWriteFile(output, (tdata_t) buffer, buflen);
written += t2pWriteFile(output, (tdata_t) " 0 R \n", 6);
}
@@ -4039,6 +4049,7 @@ tsize_t t2p_write_pdf_stream_length(tsiz
int buflen=0;
buflen=snprintf(buffer, sizeof(buffer), "%lu", (unsigned long)len);
+ check_snprintf_ret((T2P*)NULL, buflen, buffer);
written += t2pWriteFile(output, (tdata_t) buffer, buflen);
written += t2pWriteFile(output, (tdata_t) "\n", 1);
@@ -4059,6 +4070,7 @@ tsize_t t2p_write_pdf_catalog(T2P* t2p,
(tdata_t)"<< \n/Type /Catalog \n/Pages ",
27);
buflen = snprintf(buffer, sizeof(buffer), "%lu", (unsigned long)t2p->pdf_pages);
+ check_snprintf_ret(t2p, buflen, buffer);
written += t2pWriteFile(output, (tdata_t) buffer,
TIFFmin((size_t)buflen,
sizeof(buffer) - 1));
written += t2pWriteFile(output, (tdata_t) " 0 R \n", 6);
@@ -4240,6 +4252,7 @@ tsize_t t2p_write_pdf_pages(T2P* t2p, TI
page = t2p->pdf_pages+1;
for (i=0;i<t2p->tiff_pagecount;i++){
buflen=snprintf(buffer, sizeof(buffer), "%d", page);
+ check_snprintf_ret(t2p, buflen, buffer);
written += t2pWriteFile(output, (tdata_t) buffer, buflen);
written += t2pWriteFile(output, (tdata_t) " 0 R ", 5);
if ( ((i+1)%8)==0 ) {
@@ -4255,6 +4268,7 @@ tsize_t t2p_write_pdf_pages(T2P* t2p, TI
}
written += t2pWriteFile(output, (tdata_t) "] \n/Count ", 10);
buflen=snprintf(buffer, sizeof(buffer), "%d", t2p->tiff_pagecount);
+ check_snprintf_ret(t2p, buflen, buffer);
written += t2pWriteFile(output, (tdata_t) buffer, buflen);
written += t2pWriteFile(output, (tdata_t) " \n>> \n", 6);
@@ -4274,23 +4288,29 @@ tsize_t t2p_write_pdf_page(uint32 object
written += t2pWriteFile(output, (tdata_t) "<<\n/Type /Page \n/Parent ", 24);
buflen=snprintf(buffer, sizeof(buffer), "%lu", (unsigned long)t2p->pdf_pages);
+ check_snprintf_ret(t2p, buflen, buffer);
written += t2pWriteFile(output, (tdata_t) buffer, buflen);
written += t2pWriteFile(output, (tdata_t) " 0 R \n", 6);
written += t2pWriteFile(output, (tdata_t) "/MediaBox [", 11);
buflen=snprintf(buffer, sizeof(buffer), "%.4f",t2p->pdf_mediabox.x1);
+ check_snprintf_ret(t2p, buflen, buffer);
written += t2pWriteFile(output, (tdata_t) buffer, buflen);
written += t2pWriteFile(output, (tdata_t) " ", 1);
buflen=snprintf(buffer, sizeof(buffer), "%.4f",t2p->pdf_mediabox.y1);
+ check_snprintf_ret(t2p, buflen, buffer);
written += t2pWriteFile(output, (tdata_t) buffer, buflen);
written += t2pWriteFile(output, (tdata_t) " ", 1);
buflen=snprintf(buffer, sizeof(buffer), "%.4f",t2p->pdf_mediabox.x2);
+ check_snprintf_ret(t2p, buflen, buffer);
written += t2pWriteFile(output, (tdata_t) buffer, buflen);
written += t2pWriteFile(output, (tdata_t) " ", 1);
buflen=snprintf(buffer, sizeof(buffer), "%.4f",t2p->pdf_mediabox.y2);
+ check_snprintf_ret(t2p, buflen, buffer);
written += t2pWriteFile(output, (tdata_t) buffer, buflen);
written += t2pWriteFile(output, (tdata_t) "] \n", 3);
written += t2pWriteFile(output, (tdata_t) "/Contents ", 10);
buflen=snprintf(buffer, sizeof(buffer), "%lu", (unsigned long)(object + 1));
+ check_snprintf_ret(t2p, buflen, buffer);
written += t2pWriteFile(output, (tdata_t) buffer, buflen);
written += t2pWriteFile(output, (tdata_t) " 0 R \n", 6);
written += t2pWriteFile(output, (tdata_t) "/Resources << \n", 15);
@@ -4299,13 +4319,16 @@ tsize_t t2p_write_pdf_page(uint32 object
for(i=0;i<t2p->tiff_tiles[t2p->pdf_page].tiles_tilecount;i++){
written += t2pWriteFile(output, (tdata_t) "/Im", 3);
buflen = snprintf(buffer, sizeof(buffer), "%u", t2p->pdf_page+1);
+ check_snprintf_ret(t2p, buflen, buffer);
written += t2pWriteFile(output, (tdata_t) buffer, buflen);
written += t2pWriteFile(output, (tdata_t) "_", 1);
buflen = snprintf(buffer, sizeof(buffer), "%u", i+1);
+ check_snprintf_ret(t2p, buflen, buffer);
written += t2pWriteFile(output, (tdata_t) buffer, buflen);
written += t2pWriteFile(output, (tdata_t) " ", 1);
buflen = snprintf(buffer, sizeof(buffer), "%lu",
(unsigned long)(object+3+(2*i)+t2p->tiff_pages[t2p->pdf_page].page_extra));
+ check_snprintf_ret(t2p, buflen, buffer);
written += t2pWriteFile(output, (tdata_t) buffer, buflen);
written += t2pWriteFile(output, (tdata_t) " 0 R ", 5);
if(i%4==3){
@@ -4317,10 +4340,12 @@ tsize_t t2p_write_pdf_page(uint32 object
written += t2pWriteFile(output, (tdata_t) "/XObject <<\n", 12);
written += t2pWriteFile(output, (tdata_t) "/Im", 3);
buflen = snprintf(buffer, sizeof(buffer), "%u", t2p->pdf_page+1);
+ check_snprintf_ret(t2p, buflen, buffer);
written += t2pWriteFile(output, (tdata_t) buffer, buflen);
written += t2pWriteFile(output, (tdata_t) " ", 1);
buflen = snprintf(buffer, sizeof(buffer), "%lu",
(unsigned long)(object+3+(2*i)+t2p->tiff_pages[t2p->pdf_page].page_extra));
+ check_snprintf_ret(t2p, buflen, buffer);
written += t2pWriteFile(output, (tdata_t) buffer, buflen);
written += t2pWriteFile(output, (tdata_t) " 0 R ", 5);
written += t2pWriteFile(output, (tdata_t) ">>\n", 3);
@@ -4330,6 +4355,7 @@ tsize_t t2p_write_pdf_page(uint32 object
t2pWriteFile(output, (tdata_t) "/GS1 ", 5);
buflen = snprintf(buffer, sizeof(buffer), "%lu",
(unsigned long)(object + 3));
+ check_snprintf_ret(t2p, buflen, buffer);
written += t2pWriteFile(output, (tdata_t) buffer, buflen);
written += t2pWriteFile(output, (tdata_t) " 0 R ", 5);
written += t2pWriteFile(output, (tdata_t) ">> \n", 4);
@@ -4712,6 +4738,7 @@ tsize_t t2p_write_pdf_page_content_strea
box.mat[7],
t2p->pdf_page + 1,
(long)(i + 1));
+ check_snprintf_ret(t2p, buflen, buffer);
written += t2p_write_pdf_stream(buffer, buflen, output);
}
} else {
@@ -4726,6 +4753,7 @@ tsize_t t2p_write_pdf_page_content_strea
box.mat[6],
box.mat[7],
t2p->pdf_page+1);
+ check_snprintf_ret(t2p, buflen, buffer);
written += t2p_write_pdf_stream(buffer, buflen, output);
}
@@ -4749,10 +4777,12 @@ tsize_t t2p_write_pdf_xobject_stream_dic
(tdata_t) "/Type /XObject \n/Subtype /Image \n/Name /Im",
42);
buflen=snprintf(buffer, sizeof(buffer), "%u", t2p->pdf_page+1);
+ check_snprintf_ret(t2p, buflen, buffer);
written += t2pWriteFile(output, (tdata_t) buffer, buflen);
if(tile != 0){
written += t2pWriteFile(output, (tdata_t) "_", 1);
buflen=snprintf(buffer, sizeof(buffer), "%lu", (unsigned long)tile);
+ check_snprintf_ret(t2p, buflen, buffer);
written += t2pWriteFile(output, (tdata_t) buffer, buflen);
}
written += t2pWriteFile(output, (tdata_t) "\n/Width ", 8);
@@ -4767,6 +4797,7 @@ tsize_t t2p_write_pdf_xobject_stream_dic
(unsigned long)t2p->tiff_tiles[t2p->pdf_page].tiles_tilewidth);
}
}
+ check_snprintf_ret(t2p, buflen, buffer);
written += t2pWriteFile(output, (tdata_t) buffer, buflen);
written += t2pWriteFile(output, (tdata_t) "\n/Height ", 9);
if(tile==0){
@@ -4780,9 +4811,11 @@ tsize_t t2p_write_pdf_xobject_stream_dic
(unsigned long)t2p->tiff_tiles[t2p->pdf_page].tiles_tilelength);
}
}
+ check_snprintf_ret(t2p, buflen, buffer);
written += t2pWriteFile(output, (tdata_t) buffer, buflen);
written += t2pWriteFile(output, (tdata_t) "\n/BitsPerComponent ", 19);
buflen=snprintf(buffer, sizeof(buffer), "%u", t2p->tiff_bitspersample);
+ check_snprintf_ret(t2p, buflen, buffer);
written += t2pWriteFile(output, (tdata_t) buffer, buflen);
written += t2pWriteFile(output, (tdata_t) "\n/ColorSpace ", 13);
written += t2p_write_pdf_xobject_cs(t2p, output);
@@ -4827,9 +4860,11 @@ tsize_t t2p_write_pdf_xobject_cs(T2P* t2
written += t2p_write_pdf_xobject_cs(t2p, output);
t2p->pdf_colorspace |= T2P_CS_PALETTE;
buflen=snprintf(buffer, sizeof(buffer), "%u", (0x0001 << t2p->tiff_bitspersample)-1 );
+ check_snprintf_ret(t2p, buflen, buffer);
written += t2pWriteFile(output, (tdata_t) buffer, buflen);
written += t2pWriteFile(output, (tdata_t) " ", 1);
buflen=snprintf(buffer, sizeof(buffer), "%lu", (unsigned long)t2p->pdf_palettecs );
+ check_snprintf_ret(t2p, buflen, buffer);
written += t2pWriteFile(output, (tdata_t) buffer, buflen);
written += t2pWriteFile(output, (tdata_t) " 0 R ]\n", 7);
return(written);
@@ -4864,6 +4899,7 @@ tsize_t t2p_write_pdf_xobject_cs(T2P* t2
Z_W /= Y_W;
Y_W = 1.0F;
buflen=snprintf(buffer, sizeof(buffer), "[%.4f %.4f %.4f] \n", X_W, Y_W, Z_W);
+ check_snprintf_ret(t2p, buflen, buffer);
written += t2pWriteFile(output, (tdata_t) buffer, buflen);
written += t2pWriteFile(output, (tdata_t) "/Range ", 7);
buflen=snprintf(buffer, sizeof(buffer), "[%d %d %d %d] \n",
@@ -4871,6 +4907,7 @@ tsize_t t2p_write_pdf_xobject_cs(T2P* t2
t2p->pdf_labrange[1],
t2p->pdf_labrange[2],
t2p->pdf_labrange[3]);
+ check_snprintf_ret(t2p, buflen, buffer);
written += t2pWriteFile(output, (tdata_t) buffer, buflen);
written += t2pWriteFile(output, (tdata_t) ">>] \n", 5);
@@ -4889,20 +4926,24 @@ tsize_t t2p_write_pdf_transfer(T2P* t2p,
if(t2p->tiff_transferfunctioncount == 1){
buflen=snprintf(buffer, sizeof(buffer), "%lu",
(unsigned long)(t2p->pdf_xrefcount + 1));
+ check_snprintf_ret(t2p, buflen, buffer);
written += t2pWriteFile(output, (tdata_t) buffer, buflen);
written += t2pWriteFile(output, (tdata_t) " 0 R ", 5);
} else {
written += t2pWriteFile(output, (tdata_t) "[ ", 2);
buflen=snprintf(buffer, sizeof(buffer), "%lu",
(unsigned long)(t2p->pdf_xrefcount + 1));
+ check_snprintf_ret(t2p, buflen, buffer);
written += t2pWriteFile(output, (tdata_t) buffer, buflen);
written += t2pWriteFile(output, (tdata_t) " 0 R ", 5);
buflen=snprintf(buffer, sizeof(buffer), "%lu",
(unsigned long)(t2p->pdf_xrefcount + 2));
+ check_snprintf_ret(t2p, buflen, buffer);
written += t2pWriteFile(output, (tdata_t) buffer, buflen);
written += t2pWriteFile(output, (tdata_t) " 0 R ", 5);
buflen=snprintf(buffer, sizeof(buffer), "%lu",
(unsigned long)(t2p->pdf_xrefcount + 3));
+ check_snprintf_ret(t2p, buflen, buffer);
written += t2pWriteFile(output, (tdata_t) buffer, buflen);
written += t2pWriteFile(output, (tdata_t) " 0 R ", 5);
written += t2pWriteFile(output, (tdata_t) "/Identity ] ", 12);
@@ -4924,6 +4965,7 @@ tsize_t t2p_write_pdf_transfer_dict(T2P*
written += t2pWriteFile(output, (tdata_t) "/Domain [0.0 1.0] \n", 19);
written += t2pWriteFile(output, (tdata_t) "/Range [0.0 1.0] \n", 18);
buflen=snprintf(buffer, sizeof(buffer), "/Size [%u] \n", (1<<t2p->tiff_bitspersample));
+ check_snprintf_ret(t2p, buflen, buffer);
written += t2pWriteFile(output, (tdata_t) buffer, buflen);
written += t2pWriteFile(output, (tdata_t) "/BitsPerSample 16 \n", 19);
written += t2p_write_pdf_stream_dict(((tsize_t)1)<<(t2p->tiff_bitspersample+1), 0, output);
@@ -5019,18 +5061,21 @@ tsize_t t2p_write_pdf_xobject_calcs(T2P*
if(t2p->pdf_colorspace & T2P_CS_CALGRAY){
written += t2pWriteFile(output, (tdata_t) "/WhitePoint ", 12);
buflen=snprintf(buffer, sizeof(buffer), "[%.4f %.4f %.4f] \n", X_W, Y_W, Z_W);
+ check_snprintf_ret(t2p, buflen, buffer);
written += t2pWriteFile(output, (tdata_t) buffer, buflen);
written += t2pWriteFile(output, (tdata_t) "/Gamma 2.2 \n", 12);
}
if(t2p->pdf_colorspace & T2P_CS_CALRGB){
written += t2pWriteFile(output, (tdata_t) "/WhitePoint ", 12);
buflen=snprintf(buffer, sizeof(buffer), "[%.4f %.4f %.4f] \n", X_W, Y_W, Z_W);
+ check_snprintf_ret(t2p, buflen, buffer);
written += t2pWriteFile(output, (tdata_t) buffer, buflen);
written += t2pWriteFile(output, (tdata_t) "/Matrix ", 8);
buflen=snprintf(buffer, sizeof(buffer), "[%.4f %.4f %.4f %.4f %.4f %.4f %.4f %.4f %.4f] \n",
X_R, Y_R, Z_R,
X_G, Y_G, Z_G,
X_B, Y_B, Z_B);
+ check_snprintf_ret(t2p, buflen, buffer);
written += t2pWriteFile(output, (tdata_t) buffer, buflen);
written += t2pWriteFile(output, (tdata_t) "/Gamma [2.2 2.2 2.2] \n", 22);
}
@@ -5051,6 +5096,7 @@ tsize_t t2p_write_pdf_xobject_icccs(T2P*
written += t2pWriteFile(output, (tdata_t) "[/ICCBased ", 11);
buflen=snprintf(buffer, sizeof(buffer), "%lu", (unsigned long)t2p->pdf_icccs);
+ check_snprintf_ret(t2p, buflen, buffer);
written += t2pWriteFile(output, (tdata_t) buffer, buflen);
written += t2pWriteFile(output, (tdata_t) " 0 R] \n", 7);
@@ -5065,6 +5111,7 @@ tsize_t t2p_write_pdf_xobject_icccs_dict
written += t2pWriteFile(output, (tdata_t) "/N ", 3);
buflen=snprintf(buffer, sizeof(buffer), "%u \n", t2p->tiff_samplesperpixel);
+ check_snprintf_ret(t2p, buflen, buffer);
written += t2pWriteFile(output, (tdata_t) buffer, buflen);
written += t2pWriteFile(output, (tdata_t) "/Alternate ", 11);
t2p->pdf_colorspace ^= T2P_CS_ICCBASED;
@@ -5151,32 +5198,38 @@ tsize_t t2p_write_pdf_xobject_stream_fil
written += t2pWriteFile(output, (tdata_t) "/Columns ", 9);
buflen=snprintf(buffer, sizeof(buffer), "%lu",
(unsigned long)t2p->tiff_width);
+ check_snprintf_ret(t2p, buflen, buffer);
written += t2pWriteFile(output, (tdata_t) buffer, buflen);
written += t2pWriteFile(output, (tdata_t) " /Rows ", 7);
buflen=snprintf(buffer, sizeof(buffer), "%lu",
(unsigned long)t2p->tiff_length);
+ check_snprintf_ret(t2p, buflen, buffer);
written += t2pWriteFile(output, (tdata_t) buffer, buflen);
} else {
if(t2p_tile_is_right_edge(t2p->tiff_tiles[t2p->pdf_page], tile-1)==0){
written += t2pWriteFile(output, (tdata_t) "/Columns ", 9);
buflen=snprintf(buffer, sizeof(buffer), "%lu",
(unsigned long)t2p->tiff_tiles[t2p->pdf_page].tiles_tilewidth);
+ check_snprintf_ret(t2p, buflen, buffer);
written += t2pWriteFile(output, (tdata_t) buffer, buflen);
} else {
written += t2pWriteFile(output, (tdata_t) "/Columns ", 9);
buflen=snprintf(buffer, sizeof(buffer), "%lu",
(unsigned long)t2p->tiff_tiles[t2p->pdf_page].tiles_edgetilewidth);
+ check_snprintf_ret(t2p, buflen, buffer);
written += t2pWriteFile(output, (tdata_t) buffer, buflen);
}
if(t2p_tile_is_bottom_edge(t2p->tiff_tiles[t2p->pdf_page], tile-1)==0){
written += t2pWriteFile(output, (tdata_t) " /Rows ", 7);
buflen=snprintf(buffer, sizeof(buffer), "%lu",
(unsigned long)t2p->tiff_tiles[t2p->pdf_page].tiles_tilelength);
+ check_snprintf_ret(t2p, buflen, buffer);
written += t2pWriteFile(output, (tdata_t) buffer, buflen);
} else {
written += t2pWriteFile(output, (tdata_t) " /Rows ", 7);
buflen=snprintf(buffer, sizeof(buffer), "%lu",
(unsigned long)t2p->tiff_tiles[t2p->pdf_page].tiles_edgetilelength);
+ check_snprintf_ret(t2p, buflen, buffer);
written += t2pWriteFile(output, (tdata_t) buffer, buflen);
}
}
@@ -5203,16 +5256,20 @@ tsize_t t2p_write_pdf_xobject_stream_fil
written += t2pWriteFile(output, (tdata_t) "/DecodeParms ", 13);
written += t2pWriteFile(output, (tdata_t) "<< /Predictor ", 14);
buflen=snprintf(buffer, sizeof(buffer), "%u", t2p->pdf_compressionquality%100);
+ check_snprintf_ret(t2p, buflen, buffer);
written += t2pWriteFile(output, (tdata_t) buffer, buflen);
written += t2pWriteFile(output, (tdata_t) " /Columns ", 10);
buflen = snprintf(buffer, sizeof(buffer), "%lu",
(unsigned long)t2p->tiff_width);
+ check_snprintf_ret(t2p, buflen, buffer);
written += t2pWriteFile(output, (tdata_t) buffer, buflen);
written += t2pWriteFile(output, (tdata_t) " /Colors ", 9);
buflen=snprintf(buffer, sizeof(buffer), "%u", t2p->tiff_samplesperpixel);
+ check_snprintf_ret(t2p, buflen, buffer);
written += t2pWriteFile(output, (tdata_t) buffer, buflen);
written += t2pWriteFile(output, (tdata_t) " /BitsPerComponent ", 19);
buflen=snprintf(buffer, sizeof(buffer), "%u", t2p->tiff_bitspersample);
+ check_snprintf_ret(t2p, buflen, buffer);
written += t2pWriteFile(output, (tdata_t) buffer, buflen);
written += t2pWriteFile(output, (tdata_t) ">>\n", 3);
}
@@ -5238,6 +5295,7 @@ tsize_t t2p_write_pdf_xreftable(T2P* t2p
written += t2pWriteFile(output, (tdata_t) "xref\n0 ", 7);
buflen=snprintf(buffer, sizeof(buffer), "%lu", (unsigned long)(t2p->pdf_xrefcount + 1));
+ check_snprintf_ret(t2p, buflen, buffer);
written += t2pWriteFile(output, (tdata_t) buffer, buflen);
written += t2pWriteFile(output, (tdata_t) " \n0000000000 65535 f \n", 22);
for (i=0;i<t2p->pdf_xrefcount;i++){
@@ -5266,12 +5324,15 @@ tsize_t t2p_write_pdf_trailer(T2P* t2p,
written += t2pWriteFile(output, (tdata_t) "trailer\n<<\n/Size ", 17);
buflen = snprintf(buffer, sizeof(buffer), "%lu", (unsigned long)(t2p->pdf_xrefcount+1));
+ check_snprintf_ret(t2p, buflen, buffer);
written += t2pWriteFile(output, (tdata_t) buffer, buflen);
written += t2pWriteFile(output, (tdata_t) "\n/Root ", 7);
buflen=snprintf(buffer, sizeof(buffer), "%lu", (unsigned long)t2p->pdf_catalog);
+ check_snprintf_ret(t2p, buflen, buffer);
written += t2pWriteFile(output, (tdata_t) buffer, buflen);
written += t2pWriteFile(output, (tdata_t) " 0 R \n/Info ", 12);
buflen=snprintf(buffer, sizeof(buffer), "%lu", (unsigned long)t2p->pdf_info);
+ check_snprintf_ret(t2p, buflen, buffer);
written += t2pWriteFile(output, (tdata_t) buffer, buflen);
written += t2pWriteFile(output, (tdata_t) " 0 R \n/ID[<", 11);
written += t2pWriteFile(output, (tdata_t) t2p->pdf_fileid,
@@ -5281,6 +5342,7 @@ tsize_t t2p_write_pdf_trailer(T2P* t2p,
sizeof(t2p->pdf_fileid) - 1);
written += t2pWriteFile(output, (tdata_t) ">]\n>>\nstartxref\n", 16);
buflen=snprintf(buffer, sizeof(buffer), "%lu", (unsigned long)t2p->pdf_startxref);
+ check_snprintf_ret(t2p, buflen, buffer);
written += t2pWriteFile(output, (tdata_t) buffer, buflen);
written += t2pWriteFile(output, (tdata_t) "\n%%EOF\n", 7);
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iF4EAREIAAYFAlSfbbMACgkQKZn9iF16KMPiBgD/SsATW7niqSFd4ioUpkKX1pb0
iMHY4M9akX+B3RlWKCMA/i/R4T+sAzod1oJ5uWSrGAgkpDx2GCrMMlrGzgh0cARf
=iH1L
-----END PGP SIGNATURE-----