commit fc9eedf265394eb8a5633160a8fcdb7ece072701 Author: erouault Date: Sat Dec 3 13:00:03 2016 +0000 * tools/tiffcrop.c: fix integer division by zero when BitsPerSample is missing. Reported by Agostino Sarubbo. Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2619 diff --git a/ChangeLog b/ChangeLog index 50db803..2940828 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,5 +1,11 @@ 2016-12-03 Even Rouault + * tools/tiffcrop.c: fix integer division by zero when BitsPerSample is missing. + Reported by Agostino Sarubbo. + Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2619 + +2016-12-03 Even Rouault + * tools/tiffcrop.c: add 3 extra bytes at end of strip buffer in readSeparateStripsIntoBuffer() to avoid read outside of heap allocated buffer. Reported by Agostino Sarubbo. diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c index 9122aab..21dd087 100644 --- a/tools/tiffcrop.c +++ b/tools/tiffcrop.c @@ -1,4 +1,4 @@ -/* $Id: tiffcrop.c,v 1.48 2016-12-03 12:19:32 erouault Exp $ */ +/* $Id: tiffcrop.c,v 1.49 2016-12-03 13:00:04 erouault Exp $ */ /* tiffcrop.c -- a port of tiffcp.c extended to include manipulations of * the image data through additional options listed below @@ -1164,7 +1164,7 @@ writeBufferToSeparateStrips (TIFF* out, uint8* buf, tdata_t obuf; (void) TIFFGetFieldDefaulted(out, TIFFTAG_ROWSPERSTRIP, &rowsperstrip); - (void) TIFFGetField(out, TIFFTAG_BITSPERSAMPLE, &bps); + (void) TIFFGetFieldDefaulted(out, TIFFTAG_BITSPERSAMPLE, &bps); bytes_per_sample = (bps + 7) / 8; if( width == 0 || (uint32)bps * (uint32)spp > TIFF_UINT32_MAX / width || @@ -4760,7 +4760,7 @@ static int readSeparateStripsIntoBuffer (TIFF *in, uint8 *obuf, uint32 length, int i, bytes_per_sample, bytes_per_pixel, shift_width, result = 1; uint32 j; int32 bytes_read = 0; - uint16 bps, planar; + uint16 bps = 0, planar; uint32 nstrips; uint32 strips_per_sample; uint32 src_rowsize, dst_rowsize, rows_processed, rps; @@ -4780,7 +4780,7 @@ static int readSeparateStripsIntoBuffer (TIFF *in, uint8 *obuf, uint32 length, } memset (srcbuffs, '\0', sizeof(srcbuffs)); - TIFFGetField(in, TIFFTAG_BITSPERSAMPLE, &bps); + TIFFGetFieldDefaulted(in, TIFFTAG_BITSPERSAMPLE, &bps); TIFFGetFieldDefaulted(in, TIFFTAG_PLANARCONFIG, &planar); TIFFGetFieldDefaulted(in, TIFFTAG_ROWSPERSTRIP, &rps); if (rps > length)