2011.10.19 21:20 "[Tiff] Possible bug in tiffsplit and patch proposal",
by Christophe Deroulers
Thread
2011.10.19 21:20 "[Tiff] Possible bug in tiffsplit and patch proposal", by Christophe Deroulers
Dear all,
According to the most recent documentation, when getting the field JPEGTables (TIFFTAG_JPEGTABLES) with function TIFFGetField, the returned "count" is a uint32 -- see e.g. http://libtiff.maptools.org/man/TIFFGetField.3tiff.html. However, in the versions of the tool "tiffsplit" provided with tiff-3.9.5 and tiff-4.0.0beta7, a pointer to a uint16 is passed to TIFFGetField, which is IMHO wrong and may lead to some overwriting of another variable or memory zone. If this is right, here is a patch proposal to the two versions of tiffsplit:
====== for tiff-3.9.5 =======
--- tiffsplit.c.orig 2010-12-14 02:45:51.000000000 +0100
+++ tiffsplit.c 2011-10-19 20:16:57.000000000 +0200
@@ -172,7 +172,7 @@
CopyField(TIFFTAG_SAMPLESPERPIXEL, samplesperpixel);
CopyField(TIFFTAG_COMPRESSION, compression);
if (compression == COMPRESSION_JPEG) {
- uint16 count = 0;
+ uint32 count = 0;
void *table = NULL;
if (TIFFGetField(in, TIFFTAG_JPEGTABLES, &count, &table)
&& count > 0 && table) {
=============================
====== for tiff-4.0.0beta7 ===
--- tiffsplit.c.orig 2010-12-14 02:45:44.000000000 +0100
+++ tiffsplit.c 2011-10-19 20:20:26.000000000 +0200
@@ -172,7 +172,7 @@
CopyField(TIFFTAG_SAMPLESPERPIXEL, samplesperpixel);
CopyField(TIFFTAG_COMPRESSION, compression);
if (compression == COMPRESSION_JPEG) {
- uint16 count = 0;
+ uint32 count = 0;
void *table = NULL;
if (TIFFGetField(in, TIFFTAG_JPEGTABLES, &count, &table)
&& count > 0 && table) {
=============================
Hope this helps -- best wishes,
Christophe Deroulers
Laboratory IMNC & Physics Dept. of the University Paris Diderot-Paris 7