Blob Blame History Raw
Upstream fix for bug #603024 is incomplete, tif_ojpeg.c should guard against
missing strip byte counts too.  Testing shows that tiffsplit.c has an issue
too.

Filed upstream at http://bugzilla.maptools.org/show_bug.cgi?id=1996


diff -Naur tiff-3.9.4.orig/libtiff/tif_ojpeg.c tiff-3.9.4/libtiff/tif_ojpeg.c
--- tiff-3.9.4.orig/libtiff/tif_ojpeg.c	2010-06-08 19:29:51.000000000 -0400
+++ tiff-3.9.4/libtiff/tif_ojpeg.c	2010-06-22 11:25:17.579807706 -0400
@@ -1920,6 +1920,10 @@
 							sp->in_buffer_file_pos=0;
 						else
 						{
+							if (sp->tif->tif_dir.td_stripbytecount == 0) {
+								TIFFErrorExt(sp->tif->tif_clientdata,sp->tif->tif_name,"Strip byte counts are missing");
+								return(0);
+							}
 							sp->in_buffer_file_togo=sp->tif->tif_dir.td_stripbytecount[sp->in_buffer_next_strile];  
 							if (sp->in_buffer_file_togo==0)
 								sp->in_buffer_file_pos=0;
diff -Naur tiff-3.9.4.orig/tools/tiffsplit.c tiff-3.9.4/tools/tiffsplit.c
--- tiff-3.9.4.orig/tools/tiffsplit.c	2010-06-08 14:50:44.000000000 -0400
+++ tiff-3.9.4/tools/tiffsplit.c	2010-06-22 12:23:23.258823151 -0400
@@ -237,7 +237,10 @@
 		tstrip_t s, ns = TIFFNumberOfStrips(in);
 		uint32 *bytecounts;
 
-		TIFFGetField(in, TIFFTAG_STRIPBYTECOUNTS, &bytecounts);
+		if (!TIFFGetField(in, TIFFTAG_STRIPBYTECOUNTS, &bytecounts)) {
+			fprintf(stderr, "tiffsplit: strip byte counts are missing\n");
+			return (0);
+		}
 		for (s = 0; s < ns; s++) {
 			if (bytecounts[s] > (uint32)bufsize) {
 				buf = (unsigned char *)_TIFFrealloc(buf, bytecounts[s]);
@@ -267,7 +270,10 @@
 		ttile_t t, nt = TIFFNumberOfTiles(in);
 		uint32 *bytecounts;
 
-		TIFFGetField(in, TIFFTAG_TILEBYTECOUNTS, &bytecounts);
+		if (!TIFFGetField(in, TIFFTAG_TILEBYTECOUNTS, &bytecounts)) {
+			fprintf(stderr, "tiffsplit: tile byte counts are missing\n");
+			return (0);
+		}
 		for (t = 0; t < nt; t++) {
 			if (bytecounts[t] > (uint32) bufsize) {
 				buf = (unsigned char *)_TIFFrealloc(buf, bytecounts[t]);