2011.10.19 21:20 "[Tiff] Possible bug in tiffsplit and patch proposal", by Christophe Deroulers

2011.10.19 21:20 "[Tiff] Possible bug in tiffsplit and patch proposal", by Christophe Deroulers

   Dear all,

According to the most recent documentation, when getting the field JPEGTables (TIFFTAG_JPEGTABLES) with function TIFFGetField, the returned "count" is a uint32 -- see e.g. http://libtiff.maptools.org/man/TIFFGetField.3tiff.html. However, in the versions of the tool "tiffsplit" provided with tiff-3.9.5 and tiff-4.0.0beta7, a pointer to a uint16 is passed to TIFFGetField, which is IMHO wrong and may lead to some overwriting of another variable or memory zone. If this is right, here is a patch proposal to the two versions of tiffsplit:

====== for tiff-3.9.5 =======

--- tiffsplit.c.orig    2010-12-14 02:45:51.000000000 +0100

+++ tiffsplit.c 2011-10-19 20:16:57.000000000 +0200
@@ -172,7 +172,7 @@
         CopyField(TIFFTAG_SAMPLESPERPIXEL, samplesperpixel);
         CopyField(TIFFTAG_COMPRESSION, compression);
         if (compression == COMPRESSION_JPEG) {
- uint16 count = 0;
+ uint32 count = 0;
                 void *table = NULL;
                 if (TIFFGetField(in, TIFFTAG_JPEGTABLES, &count, &table)
                     && count > 0 && table) {
=============================

====== for tiff-4.0.0beta7 ===

--- tiffsplit.c.orig    2010-12-14 02:45:44.000000000 +0100

+++ tiffsplit.c 2011-10-19 20:20:26.000000000 +0200
@@ -172,7 +172,7 @@
         CopyField(TIFFTAG_SAMPLESPERPIXEL, samplesperpixel);
         CopyField(TIFFTAG_COMPRESSION, compression);
         if (compression == COMPRESSION_JPEG) {
- uint16 count = 0;
+ uint32 count = 0;
                 void *table = NULL;
                 if (TIFFGetField(in, TIFFTAG_JPEGTABLES, &count, &table)
                     && count > 0 && table) {
=============================

Hope this helps -- best wishes,

   Christophe Deroulers

Laboratory IMNC & Physics Dept. of the University Paris Diderot-Paris 7