From 9171da596c88e6a2dadcab4a3a89dddd6e1b4655 Mon Sep 17 00:00:00 2001
From: Nathan Baker <elitebadger@gmail.com>
Date: Thu, 25 Jan 2018 21:28:15 +0000
Subject: [PATCH] Add workaround to pal2rgb buffer overflow.

---
 tools/pal2rgb.c | 17 +++++++++++++++--
 1 file changed, 15 insertions(+), 2 deletions(-)

diff --git a/tools/pal2rgb.c b/tools/pal2rgb.c
index 0423598..01fcf94 100644
--- a/tools/pal2rgb.c
+++ b/tools/pal2rgb.c
@@ -184,8 +184,21 @@ main(int argc, char* argv[])
 	{ unsigned char *ibuf, *obuf;
 	  register unsigned char* pp;
 	  register uint32 x;
-	  ibuf = (unsigned char*)_TIFFmalloc(TIFFScanlineSize(in));
-	  obuf = (unsigned char*)_TIFFmalloc(TIFFScanlineSize(out));
+	  tmsize_t tss_in = TIFFScanlineSize(in);
+	  tmsize_t tss_out = TIFFScanlineSize(out);
+	  if (tss_out / tss_in < 3) {
+		/*
+		 * BUG 2750: The following code does not know about chroma
+		 * subsampling of JPEG data. It assumes that the output buffer is 3x
+		 * the length of the input buffer due to exploding the palette into
+		 * RGB tuples. If this assumption is incorrect, it could lead to a
+		 * buffer overflow. Go ahead and fail now to prevent that.
+		 */
+		fprintf(stderr, "Could not determine correct image size for output. Exiting.\n");
+		return -1;
+      }
+	  ibuf = (unsigned char*)_TIFFmalloc(tss_in);
+	  obuf = (unsigned char*)_TIFFmalloc(tss_out);
 	  switch (config) {
 	  case PLANARCONFIG_CONTIG:
 		for (row = 0; row < imagelength; row++) {
--
libgit2 0.27.0