ref: 83c062390dca2b38940c07821f0eecf77cd5a217
parent: e722419fe531ddf78a1d3a0576a8d92e997db8ac
author: ppatience0 <ppatience0@gmail.com>
date: Sat Jul 20 12:42:33 EDT 2013
readtif, writetif: prevent buffer overflows in some corner cases
--- a/sys/src/cmd/jpg/readtif.c
+++ b/sys/src/cmd/jpg/readtif.c
@@ -804,6 +804,8 @@
f->st = -1;
return nil;
}
+ if(j+1 >= f->nl)
+ faxalloclines(f);
len = p->len;
code = p->code;
if(code == 1 && len == 3) {@@ -852,8 +854,6 @@
f->l2[j++] = *x;
f->st ^= 1;
}
- if(j >= f->nl)
- faxalloclines(f);
a0 = *x;
}
memmove(f->l1, f->l2, j*sizeof *f->l1);
--- a/sys/src/cmd/jpg/writetif.c
+++ b/sys/src/cmd/jpg/writetif.c
@@ -933,6 +933,7 @@
{int b, repl;
long i, j, k, n;
+ ulong m;
i = n = 0;
buf[n++] = i;
@@ -974,8 +975,9 @@
i++;
if(b == 0)
continue;
- if(p->n+1+(k<0?1:b) > p->ndata) {- p->ndata *= 2;
+ m = 1 + (k < 0? 1: b);
+ if(p->n+m > p->ndata) {+ p->ndata = (p->n + m) * 2;
p->data = realloc(p->data,
p->ndata*sizeof *p->data);
if(p->data == nil)
--
⑨