1994.10.17 10:58 "Bug in tiff2ps.c", by wchuang@MIT.EDU

There is a bug in the tiff2ps.c in all versions up to and including v3.3beta021, in the function PSRawDataBW(). The code in question is:

        TIFFGetField(tif, TIFFTAG_FILLORDER, &fillorder);
        TIFFGetField(tif, TIFFTAG_STRIPBYTECOUNTS, &bc);
        bufsize = bc[0];
        tf_buf = (unsigned char*) malloc(bufsize);
        if (tf_buf == NULL) {
                TIFFError(filename, "No space for strip buffer");
                return;
        }
        for (s = 0; s < TIFFNumberOfStrips(tif); s++) {
                if (bc[s] > bufsize) {
                        tf_buf = (unsigned char *) realloc(tf_buf, bc[0]);
                        if (tf_buf == NULL) {
                                TIFFError(filename,
                                    "No space for strip buffer");
                                return;
                        }
                        bufsize = bc[0];
                }
                cc = TIFFReadRawStrip(tif, s, tf_buf, bc[s]);

where the latter 11 lines should instead read (note the indexing):

        for (s = 0; s < TIFFNumberOfStrips(tif); s++) {
                if (bc[s] > bufsize) {
!                       tf_buf = (unsigned char *) realloc(tf_buf, bc[s]);
                        if (tf_buf == NULL) {
                                TIFFError(filename,
                                    "No space for strip buffer");
                                return;
                        }
!                       bufsize = bc[s];
                }
                cc = TIFFReadRawStrip(tif, s, tf_buf, bc[s]);

If the strip sizes were ascending in the TIFF file, TIFFReadRawStrip() would start clobbering memory.

-William