1994.10.17 10:58 "Bug in tiff2ps.c", by wchuang@MIT.EDU
There is a bug in the tiff2ps.c in all versions up to and including v3.3beta021, in the function PSRawDataBW(). The code in question is:
TIFFGetField(tif, TIFFTAG_FILLORDER, &fillorder);
TIFFGetField(tif, TIFFTAG_STRIPBYTECOUNTS, &bc);
bufsize = bc[0];
tf_buf = (unsigned char*) malloc(bufsize);
if (tf_buf == NULL) {
TIFFError(filename, "No space for strip buffer");
return;
}
for (s = 0; s < TIFFNumberOfStrips(tif); s++) {
if (bc[s] > bufsize) {
tf_buf = (unsigned char *) realloc(tf_buf, bc[0]);
if (tf_buf == NULL) {
TIFFError(filename,
"No space for strip buffer");
return;
}
bufsize = bc[0];
}
cc = TIFFReadRawStrip(tif, s, tf_buf, bc[s]);
where the latter 11 lines should instead read (note the indexing):
for (s = 0; s < TIFFNumberOfStrips(tif); s++) {
if (bc[s] > bufsize) {
! tf_buf = (unsigned char *) realloc(tf_buf, bc[s]);
if (tf_buf == NULL) {
TIFFError(filename,
"No space for strip buffer");
return;
}
! bufsize = bc[s];
}
cc = TIFFReadRawStrip(tif, s, tf_buf, bc[s]);
If the strip sizes were ascending in the TIFF file, TIFFReadRawStrip() would start clobbering memory.
-William