- 2011.05.30 06:54 "[Tiff] [PATCH 1/5] do not dereference NULL upon failed malloc", by Jim Meyering
- 2011.05.30 06:54 "[Tiff] [PATCH 5/5] * rgb2ycbcr.c (cvtRaster): unchecked malloc", by Jim Meyering
2011.05.30 06:54 "[Tiff] [PATCH 4/5] mark NULL-deref and possible overflow", by Jim Meyering
From: Jim Meyering <meyering@redhat.com>
---
libtiff/tif_jpeg.c | 2 ++
tools/tiff2pdf.c | 1 +
tools/tiff2ps.c | 1 +
3 files changed, 4 insertions(+), 0 deletions(-)
diff --git a/libtiff/tif_jpeg.c b/libtiff/tif_jpeg.c
index 681b65b..6500c31 100644
--- a/libtiff/tif_jpeg.c
+++ b/libtiff/tif_jpeg.c
@@ -1823,6 +1823,7 @@ JPEGEncode(TIFF* tif, uint8* buf, tmsize_t cc, uint16 s)
{
line16_count = (sp->bytesperline * 2) / 3;
line16 = (short *) _TIFFmalloc(sizeof(short) * line16_count);
+ // FIXME: undiagnosed malloc failure
}
while (nrows-- > 0) {
@@ -2311,6 +2312,7 @@ here hopefully is harmless.
*/
sp->jpegtables_length = SIZE_OF_JPEGTABLES;
sp->jpegtables = (void *) _TIFFmalloc(sp->jpegtables_length);
+ // FIXME: NULL-deref after malloc failure
_TIFFmemset(sp->jpegtables, 0, SIZE_OF_JPEGTABLES);
#undef SIZE_OF_JPEGTABLES
}
diff --git a/tools/tiff2pdf.c b/tools/tiff2pdf.c
index 958ed5e..cf8ab00 100644
--- a/tools/tiff2pdf.c
+++ b/tools/tiff2pdf.c
@@ -2375,6 +2375,7 @@ tsize_t t2p_readwrite_pdf_image(T2P* t2p, TIFF* input, TIFF* output){
}
if(t2p->pdf_sample & T2P_SAMPLE_REALIZE_PALETTE){
+ // FIXME: overflow?
samplebuffer=(unsigned char*)_TIFFrealloc(
(tdata_t)
buffer,
t2p->tiff_datasize
* t2p->tiff_samplesperpixel);
diff --git a/tools/tiff2ps.c b/tools/tiff2ps.c
index 4184457..1b553c2 100644
--- a/tools/tiff2ps.c
+++ b/tools/tiff2ps.c
@@ -2595,6 +2595,7 @@ PSDataBW(FILE* fd, TIFF* tif, uint32 w, uint32 h)
(void) w; (void) h;
tf_buf = (unsigned char *) _TIFFmalloc(stripsize);
+ // FIXME
memset(tf_buf, 0, stripsize);
if (tf_buf == NULL) {
TIFFError(filename, "No space for scanline buffer");
--
1.7.5.2.660.g9f46c