Upstream fix for bug #603024 is incomplete, tif_ojpeg.c should guard against
missing strip byte counts too. Testing shows that tiffsplit.c has an issue
too.
Filed upstream at http://bugzilla.maptools.org/show_bug.cgi?id=1996
diff -Naur tiff-3.9.4.orig/libtiff/tif_ojpeg.c tiff-3.9.4/libtiff/tif_ojpeg.c
--- tiff-3.9.4.orig/libtiff/tif_ojpeg.c 2010-06-08 19:29:51.000000000 -0400
+++ tiff-3.9.4/libtiff/tif_ojpeg.c 2010-06-22 11:25:17.579807706 -0400
@@ -1920,6 +1920,10 @@
sp->in_buffer_file_pos=0;
else
{
+ if (sp->tif->tif_dir.td_stripbytecount == 0) {
+ TIFFErrorExt(sp->tif->tif_clientdata,sp->tif->tif_name,"Strip byte counts are missing");
+ return(0);
+ }
sp->in_buffer_file_togo=sp->tif->tif_dir.td_stripbytecount[sp->in_buffer_next_strile];
if (sp->in_buffer_file_togo==0)
sp->in_buffer_file_pos=0;
diff -Naur tiff-3.9.4.orig/tools/tiffsplit.c tiff-3.9.4/tools/tiffsplit.c
--- tiff-3.9.4.orig/tools/tiffsplit.c 2010-06-08 14:50:44.000000000 -0400
+++ tiff-3.9.4/tools/tiffsplit.c 2010-06-22 12:23:23.258823151 -0400
@@ -237,7 +237,10 @@
tstrip_t s, ns = TIFFNumberOfStrips(in);
uint32 *bytecounts;
- TIFFGetField(in, TIFFTAG_STRIPBYTECOUNTS, &bytecounts);
+ if (!TIFFGetField(in, TIFFTAG_STRIPBYTECOUNTS, &bytecounts)) {
+ fprintf(stderr, "tiffsplit: strip byte counts are missing\n");
+ return (0);
+ }
for (s = 0; s < ns; s++) {
if (bytecounts[s] > (uint32)bufsize) {
buf = (unsigned char *)_TIFFrealloc(buf, bytecounts[s]);
@@ -267,7 +270,10 @@
ttile_t t, nt = TIFFNumberOfTiles(in);
uint32 *bytecounts;
- TIFFGetField(in, TIFFTAG_TILEBYTECOUNTS, &bytecounts);
+ if (!TIFFGetField(in, TIFFTAG_TILEBYTECOUNTS, &bytecounts)) {
+ fprintf(stderr, "tiffsplit: tile byte counts are missing\n");
+ return (0);
+ }
for (t = 0; t < nt; t++) {
if (bytecounts[t] > (uint32) bufsize) {
buf = (unsigned char *)_TIFFrealloc(buf, bytecounts[t]);