AWARE [SYSTEMS] Imaging expertise for the Delphi developer
AWare Systems, Imaging expertise for the Delphi developer, Home TIFF and LibTiff Mailing List Archive

LibTiff Mailing List

TIFF and LibTiff Mailing List Archive
October 1994

Previous Thread
Next Thread

Previous by Thread
Next by Thread

Previous by Date
Next by Date

Contact

The TIFF Mailing List Homepage
This list is run by Frank Warmerdam
Archive maintained by AWare Systems



Valid HTML 4.01!



1994.10.17 10:58 "Bug in tiff2ps.c", by <wchuang@mit.edu>

There is a bug in the tiff2ps.c in all versions up to and including
v3.3beta021, in the function PSRawDataBW().  The code in question is:

        TIFFGetField(tif, TIFFTAG_FILLORDER, &fillorder);
        TIFFGetField(tif, TIFFTAG_STRIPBYTECOUNTS, &bc);
        bufsize = bc[0];
        tf_buf = (unsigned char*) malloc(bufsize);
        if (tf_buf == NULL) {
                TIFFError(filename, "No space for strip buffer");
                return;
        }
        for (s = 0; s < TIFFNumberOfStrips(tif); s++) {
                if (bc[s] > bufsize) {
                        tf_buf = (unsigned char *) realloc(tf_buf, bc[0]);
                        if (tf_buf == NULL) {
                                TIFFError(filename,
                                    "No space for strip buffer");
                                return;
                        }
                        bufsize = bc[0];
                }
                cc = TIFFReadRawStrip(tif, s, tf_buf, bc[s]);

where the latter 11 lines should instead read (note the indexing):

        for (s = 0; s < TIFFNumberOfStrips(tif); s++) {
                if (bc[s] > bufsize) {
!                       tf_buf = (unsigned char *) realloc(tf_buf, bc[s]);
                        if (tf_buf == NULL) {
                                TIFFError(filename,
                                    "No space for strip buffer");
                                return;
                        }
!                       bufsize = bc[s];
                }
                cc = TIFFReadRawStrip(tif, s, tf_buf, bc[s]);

If the strip sizes were ascending in the TIFF file, TIFFReadRawStrip()
would start clobbering memory.

-William