From bb2505b3d099104a296823fc3a456680417475b0 Mon Sep 17 00:00:00 2001

From: =?UTF-8?q?Nikola=20Forr=C3=B3?= <nforro@redhat.com>

Date: Thu, 12 Jan 2017 11:30:40 +0100

Subject: [PATCH 4/5] Fix CVE-2016-5652

---

 tools/tiff2pdf.c | 17 ++++++++++-------

 1 file changed, 10 insertions(+), 7 deletions(-)

diff --git a/tools/tiff2pdf.c b/tools/tiff2pdf.c

index fbca305..9df5b16 100644

--- a/tools/tiff2pdf.c

+++ b/tools/tiff2pdf.c

@@ -2826,21 +2826,24 @@ tsize_t t2p_readwrite_pdf_image_tile(T2P* t2p, TIFF* input, TIFF* output, ttile_

 				return(0);

 			}

 			if(TIFFGetField(input, TIFFTAG_JPEGTABLES, &count, &jpt) != 0) {

-				if (count > 0) {

-					_TIFFmemcpy(buffer, jpt, count);

+				if (count >= 4) {

+                    /* Ignore EOI marker of JpegTables */

+					_TIFFmemcpy(buffer, jpt, count - 2);

 					bufferoffset += count - 2;

+                    /* Store last 2 bytes of the JpegTables */

 					table_end[0] = buffer[bufferoffset-2];

 					table_end[1] = buffer[bufferoffset-1];

-				}

-				if (count > 0) {

 					xuint32 = bufferoffset;

+                    bufferoffset -= 2;

 					bufferoffset += TIFFReadRawTile(

 						input, 

 						tile, 

-						(tdata_t) &(((unsigned char*)buffer)[bufferoffset-2]), 

+						(tdata_t) &(((unsigned char*)buffer)[bufferoffset]), 

 						-1);

-						buffer[xuint32-2]=table_end[0];

-						buffer[xuint32-1]=table_end[1];

+                    /* Overwrite SOI marker of image scan with previously */

+                    /* saved end of JpegTables */

+					buffer[xuint32-2]=table_end[0];

+					buffer[xuint32-1]=table_end[1];

 				} else {

 					bufferoffset += TIFFReadRawTile(

 						input, 

-- 

2.7.4