Check that image width shown in SOF doesn't exceed what libtiff has
allocated based on ImageWidth. Patch from upstream bug
http://bugzilla.maptools.org/show_bug.cgi?id=1999
diff -Naur tiff-3.9.4.orig/libtiff/tif_ojpeg.c tiff-3.9.4/libtiff/tif_ojpeg.c
--- tiff-3.9.4.orig/libtiff/tif_ojpeg.c 2010-06-08 19:29:51.000000000 -0400
+++ tiff-3.9.4/libtiff/tif_ojpeg.c 2011-04-13 11:38:55.486008471 -0400
@@ -1537,7 +1537,6 @@
OJPEGReadSkip(sp,4);
else
{
- /* TODO: probably best to also add check on allowed upper bound, especially x, may cause buffer overflow otherwise i think */
/* Y: Number of lines */
if (OJPEGReadWord(sp,&p)==0)
return(0);
@@ -1555,6 +1554,11 @@
TIFFErrorExt(tif->tif_clientdata,module,"JPEG compressed data indicates unexpected width");
return(0);
}
+ if ((uint32)p>sp->strile_width)
+ {
+ TIFFErrorExt(tif->tif_clientdata,module,"JPEG compressed data image width exceeds expected image width");
+ return(0);
+ }
sp->sof_x=p;
}
/* Nf: Number of image components in frame */