LibTiff Mailing List
TIFF and LibTiff Mailing List Archive
May 2011
Previous Thread
Next Thread
Previous by Thread
Next by Thread
Previous by Date
Next by Date
Contact
The TIFF Mailing List Homepage
This list is run by Frank Warmerdam
Archive maintained by AWare Systems
Thread
2011.05.30 06:54 "[PATCH 4/5] mark NULL-deref and possible overflow", by Jim Meyering
From: Jim Meyering <meyering@redhat.com>
---
libtiff/tif_jpeg.c | 2 ++
tools/tiff2pdf.c | 1 +
tools/tiff2ps.c | 1 +
3 files changed, 4 insertions(+), 0 deletions(-)
diff --git a/libtiff/tif_jpeg.c b/libtiff/tif_jpeg.c
index 681b65b..6500c31 100644
--- a/libtiff/tif_jpeg.c
+++ b/libtiff/tif_jpeg.c
@@ -1823,6 +1823,7 @@ JPEGEncode(TIFF* tif, uint8* buf, tmsize_t cc, uint16 s)
{
line16_count = (sp->bytesperline * 2) / 3;
line16 = (short *) _TIFFmalloc(sizeof(short) * line16_count);
+ // FIXME: undiagnosed malloc failure
}
while (nrows-- > 0) {
@@ -2311,6 +2312,7 @@ here hopefully is harmless.
*/
sp->jpegtables_length = SIZE_OF_JPEGTABLES;
sp->jpegtables = (void *) _TIFFmalloc(sp->jpegtables_length);
+ // FIXME: NULL-deref after malloc failure
_TIFFmemset(sp->jpegtables, 0, SIZE_OF_JPEGTABLES);
#undef SIZE_OF_JPEGTABLES
}
diff --git a/tools/tiff2pdf.c b/tools/tiff2pdf.c
index 958ed5e..cf8ab00 100644
--- a/tools/tiff2pdf.c
+++ b/tools/tiff2pdf.c
@@ -2375,6 +2375,7 @@ tsize_t t2p_readwrite_pdf_image(T2P* t2p, TIFF* input, TIFF* output){
}
if(t2p->pdf_sample & T2P_SAMPLE_REALIZE_PALETTE){
+ // FIXME: overflow?
samplebuffer=(unsigned char*)_TIFFrealloc(
(tdata_t) buffer,
t2p->tiff_datasize * t2p->tiff_samplesperpixel);
diff --git a/tools/tiff2ps.c b/tools/tiff2ps.c
index 4184457..1b553c2 100644
--- a/tools/tiff2ps.c
+++ b/tools/tiff2ps.c
@@ -2595,6 +2595,7 @@ PSDataBW(FILE* fd, TIFF* tif, uint32 w, uint32 h)
(void) w; (void) h;
tf_buf = (unsigned char *) _TIFFmalloc(stripsize);
+ // FIXME
memset(tf_buf, 0, stripsize);
if (tf_buf == NULL) {
TIFFError(filename, "No space for scanline buffer");
--
1.7.5.2.660.g9f46c