Blame SOURCES/libtiff-checkbytecount.patch

7c98bb
Upstream fix for bug #603024 is incomplete, tif_ojpeg.c should guard against
7c98bb
missing strip byte counts too.  Testing shows that tiffsplit.c has an issue
7c98bb
too.
7c98bb
7c98bb
Filed upstream at http://bugzilla.maptools.org/show_bug.cgi?id=1996
7c98bb
7c98bb
7c98bb
diff -Naur tiff-3.9.4.orig/libtiff/tif_ojpeg.c tiff-3.9.4/libtiff/tif_ojpeg.c
7c98bb
--- tiff-3.9.4.orig/libtiff/tif_ojpeg.c	2010-06-08 19:29:51.000000000 -0400
7c98bb
+++ tiff-3.9.4/libtiff/tif_ojpeg.c	2010-06-22 11:25:17.579807706 -0400
7c98bb
@@ -1920,6 +1920,10 @@
7c98bb
 							sp->in_buffer_file_pos=0;
7c98bb
 						else
7c98bb
 						{
7c98bb
+							if (sp->tif->tif_dir.td_stripbytecount == 0) {
7c98bb
+								TIFFErrorExt(sp->tif->tif_clientdata,sp->tif->tif_name,"Strip byte counts are missing");
7c98bb
+								return(0);
7c98bb
+							}
7c98bb
 							sp->in_buffer_file_togo=sp->tif->tif_dir.td_stripbytecount[sp->in_buffer_next_strile];  
7c98bb
 							if (sp->in_buffer_file_togo==0)
7c98bb
 								sp->in_buffer_file_pos=0;
7c98bb
diff -Naur tiff-3.9.4.orig/tools/tiffsplit.c tiff-3.9.4/tools/tiffsplit.c
7c98bb
--- tiff-3.9.4.orig/tools/tiffsplit.c	2010-06-08 14:50:44.000000000 -0400
7c98bb
+++ tiff-3.9.4/tools/tiffsplit.c	2010-06-22 12:23:23.258823151 -0400
7c98bb
@@ -237,7 +237,10 @@
7c98bb
 		tstrip_t s, ns = TIFFNumberOfStrips(in);
7c98bb
 		uint32 *bytecounts;
7c98bb
 
7c98bb
-		TIFFGetField(in, TIFFTAG_STRIPBYTECOUNTS, &bytecounts);
7c98bb
+		if (!TIFFGetField(in, TIFFTAG_STRIPBYTECOUNTS, &bytecounts)) {
7c98bb
+			fprintf(stderr, "tiffsplit: strip byte counts are missing\n");
7c98bb
+			return (0);
7c98bb
+		}
7c98bb
 		for (s = 0; s < ns; s++) {
7c98bb
 			if (bytecounts[s] > (uint32)bufsize) {
7c98bb
 				buf = (unsigned char *)_TIFFrealloc(buf, bytecounts[s]);
7c98bb
@@ -267,7 +270,10 @@
7c98bb
 		ttile_t t, nt = TIFFNumberOfTiles(in);
7c98bb
 		uint32 *bytecounts;
7c98bb
 
7c98bb
-		TIFFGetField(in, TIFFTAG_TILEBYTECOUNTS, &bytecounts);
7c98bb
+		if (!TIFFGetField(in, TIFFTAG_TILEBYTECOUNTS, &bytecounts)) {
7c98bb
+			fprintf(stderr, "tiffsplit: tile byte counts are missing\n");
7c98bb
+			return (0);
7c98bb
+		}
7c98bb
 		for (t = 0; t < nt; t++) {
7c98bb
 			if (bytecounts[t] > (uint32) bufsize) {
7c98bb
 				buf = (unsigned char *)_TIFFrealloc(buf, bytecounts[t]);