AWARE SYSTEMS
TIFF and LibTiff Mail List Archive

2000.04.04 10:21 "Suggested changes to tif_win32.c", by Arvan Pritchard

These changes to libtiff version 3.5.5 arise out of testing with BoundsChecker. There are two problems:

1) An overread of the mode in TIFFFdOpen()

155c155,157
< BOOL fSuppressMap = (mode[1] == 'u' || mode[2] == 'u');
---

>     // Avoid reading uninitialised memory - note that this
>     // use of 'u' does not match the spec
>       BOOL fSuppressMap = (mode[1] == 'u' || (mode[1]!=0 && mode[2] == 'u'));

2) Overwriting in _TIFFrealloc() when reducing the size.

229,231c231,244

<               if ((pvTmp = GlobalAlloc(GMEM_FIXED, s)) != NULL) {
<                       CopyMemory(pvTmp, p, GlobalSize(p));
<                       GlobalFree(p);

---

>         tsize_t old=GlobalSize(p);
>         if (old>=s)
>         {
>                   if ((pvTmp = GlobalAlloc(GMEM_FIXED, s)) != NULL) {
>                           CopyMemory(pvTmp, p, s);
>                           GlobalFree(p);
>             }
>         }
>         else
>         {
>                   if ((pvTmp = GlobalAlloc(GMEM_FIXED, s)) != NULL) {
>                           CopyMemory(pvTmp, p, old);
>                           GlobalFree(p);
>             }

--
Arvan Pritchard
Informatix Software International Limited
Daedalus House, Station Road, Cambridge, CB1 2RE
arvan.pritchard@informatix.co.uk