← Back to branch summary

~ubuntu-branches/ubuntu/precise/tiff/precise-security

« back to all changes in this revision

Viewing changes to tools/thumbnail.c

  • Committer: Package Import Robot
  • Author(s): Marc Deslauriers
  • Date: 2015-03-30 08:11:18 UTC
  • Revision ID: package-import@ubuntu.com-20150330081118-bvaoaii1act27voq
Tags: 3.9.5-2ubuntu1.7
* SECURITY UPDATE: Fix multiple security issues
  - debian/patches/CVE-2014-81xx-1.patch to CVE-2014-81xx-11.patch
  - debian/patches/CVE-2014-8128-5.patch
  - debian/patches/CVE-2014-9655-1.patch to CVE-2014-9655-3.patch
  - debian/patches/read_overrun.patch
  - debian/patches/CVE-2014-8130.patch
  - CVE-2014-8127 (partially)
  - CVE-2014-8128
  - CVE-2014-8129
  - CVE-2014-8130
  - CVE-2014-9330
  - CVE-2014-9655

Show diffs side-by-side

added added

removed removed

Lines of Context:
tools/thumbnail.c
237
237
    { TIFFTAG_CLEANFAXDATA,             1, TIFF_SHORT },
238
238
    { TIFFTAG_CONSECUTIVEBADFAXLINES,   1, TIFF_LONG },
239
239
    { TIFFTAG_INKSET,                   1, TIFF_SHORT },
240
 
    { TIFFTAG_INKNAMES,                 1, TIFF_ASCII },
 
240
    /*{ TIFFTAG_INKNAMES,                       1, TIFF_ASCII },*/ /* Needs much more complicated logic. See tiffcp */
241
241
    { TIFFTAG_DOTRANGE,                 2, TIFF_SHORT },
242
242
    { TIFFTAG_TARGETPRINTER,            1, TIFF_ASCII },
243
243
    { TIFFTAG_SAMPLEFORMAT,             1, TIFF_SHORT },
254
254
{
255
255
    struct cpTag *p;
256
256
    for (p = tags; p < &tags[NTAGS]; p++)
257
 
        cpTag(in, out, p->tag, p->count, p->type);
 
257
        {
 
258
                /* Horrible: but TIFFGetField() expects 2 arguments to be passed */
 
259
                /* if we request a tag that is defined in a codec, but that codec */
 
260
                /* isn't used */
 
261
                if( p->tag == TIFFTAG_GROUP3OPTIONS )
 
262
                {
 
263
                        uint16 compression;
 
264
                        if( !TIFFGetField(in, TIFFTAG_COMPRESSION, &compression) ||
 
265
                                compression != COMPRESSION_CCITTFAX3 )
 
266
                                continue;
 
267
                }
 
268
                if( p->tag == TIFFTAG_GROUP4OPTIONS )
 
269
                {
 
270
                        uint16 compression;
 
271
                        if( !TIFFGetField(in, TIFFTAG_COMPRESSION, &compression) ||
 
272
                                compression != COMPRESSION_CCITTFAX4 )
 
273
                                continue;
 
274
                }
 
275
                cpTag(in, out, p->tag, p->count, p->type);
 
276
        }
258
277
}
259
278
#undef NTAGS
260
279
 
529
548
            err -= limit;
530
549
            sy++;
531
550
            if (err >= limit)
532
 
                rows[nrows++] = br + bpr*sy;
 
551
                {
 
552
                        /* We should perhaps error loudly, but I can't make sense of that */
 
553
                        /* code... */
 
554
                        if( nrows == 256 )
 
555
                                break;
 
556
                        rows[nrows++] = br + bpr*sy;
 
557
                }
533
558
        }
534
559
        setrow(row, nrows, rows);
535
560
        row += tnw;
565
590
    rowsize = TIFFScanlineSize(in);
566
591
    rastersize = sh * rowsize;
567
592
    fprintf(stderr, "rastersize=%u\n", (unsigned int)rastersize);
568
 
    raster = (unsigned char*)_TIFFmalloc(rastersize);
 
593
        /* +3 : add a few guard bytes since setrow() can read a bit */
 
594
        /* outside buffer */
 
595
    raster = (unsigned char*)_TIFFmalloc(rastersize+3);
569
596
    if (!raster) {
570
597
            TIFFError(TIFFFileName(in),
571
598
                      "Can't allocate space for raster buffer.");
572
599
            return 0;
573
600
    }
 
601
    raster[rastersize] = 0;
 
602
    raster[rastersize+1] = 0;
 
603
    raster[rastersize+2] = 0;
574
604
    rp = raster;
575
605
    for (s = 0; s < ns; s++) {
576
606
        (void) TIFFReadEncodedStrip(in, s, rp, -1);