2011.05.30 06:54 "[Tiff] tiff-4.0.0beta7: fix/mark a few minor bugs", by Jim Meyering

2011.05.30 06:54 "[Tiff] [PATCH 4/5] mark NULL-deref and possible overflow", by Jim Meyering

From: Jim Meyering <meyering@redhat.com>

---

 libtiff/tif_jpeg.c |    2 ++
 tools/tiff2pdf.c   |    1 +
 tools/tiff2ps.c    |    1 +
 3 files changed, 4 insertions(+), 0 deletions(-)

diff --git a/libtiff/tif_jpeg.c b/libtiff/tif_jpeg.c

index 681b65b..6500c31 100644

--- a/libtiff/tif_jpeg.c
+++ b/libtiff/tif_jpeg.c

@@ -1823,6 +1823,7 @@ JPEGEncode(TIFF* tif, uint8* buf, tmsize_t cc, uint16 s)
         {
             line16_count = (sp->bytesperline * 2) / 3;
             line16 = (short *) _TIFFmalloc(sizeof(short) * line16_count);
+ // FIXME: undiagnosed malloc failure
         }

        while (nrows-- > 0) {
@@ -2311,6 +2312,7 @@ here hopefully is harmless.
 */
             sp->jpegtables_length = SIZE_OF_JPEGTABLES;
             sp->jpegtables = (void *) _TIFFmalloc(sp->jpegtables_length);
+ // FIXME: NULL-deref after malloc failure
            _TIFFmemset(sp->jpegtables, 0, SIZE_OF_JPEGTABLES);
 #undef SIZE_OF_JPEGTABLES
         }
diff --git a/tools/tiff2pdf.c b/tools/tiff2pdf.c
index 958ed5e..cf8ab00 100644
--- a/tools/tiff2pdf.c
+++ b/tools/tiff2pdf.c
@@ -2375,6 +2375,7 @@ tsize_t t2p_readwrite_pdf_image(T2P* t2p, TIFF* input, TIFF* output){
                }

                if(t2p->pdf_sample & T2P_SAMPLE_REALIZE_PALETTE){
+ // FIXME: overflow?
                        samplebuffer=(unsigned char*)_TIFFrealloc(
                                (tdata_t) buffer,
                                t2p->tiff_datasize * t2p->tiff_samplesperpixel);
diff --git a/tools/tiff2ps.c b/tools/tiff2ps.c
index 4184457..1b553c2 100644
--- a/tools/tiff2ps.c
+++ b/tools/tiff2ps.c
@@ -2595,6 +2595,7 @@ PSDataBW(FILE* fd, TIFF* tif, uint32 w, uint32 h)

        (void) w; (void) h;
        tf_buf = (unsigned char *) _TIFFmalloc(stripsize);
+ // FIXME
         memset(tf_buf, 0, stripsize);
        if (tf_buf == NULL) {

TIFFError(filename, "No space for scanline buffer");

--
1.7.5.2.660.g9f46c