From 2c5d45edb5c9b59936959023c52aa33c94ce7007 Mon Sep 17 00:00:00 2001 From: Stefan Csomor Date: Wed, 9 Aug 2000 10:15:58 +0000 Subject: [PATCH] moved code fix from 3.5.5 into this release git-svn-id: https://svn.wxwidgets.org/svn/wx/wxWidgets/trunk@7986 c3d73ce0-8a6f-49c7-b76d-6d57e0e08775 --- src/tiff/tif_fax3.c | 26 ++++++++++++++++++++++++++ 1 file changed, 26 insertions(+) diff --git a/src/tiff/tif_fax3.c b/src/tiff/tif_fax3.c index d10ee1a254..a5471618f7 100644 --- a/src/tiff/tif_fax3.c +++ b/src/tiff/tif_fax3.c @@ -499,7 +499,33 @@ Fax3SetupState(TIFF* tif) uint32 nruns = needsRefLine ? 2*TIFFroundup(rowpixels,32) : rowpixels; +#if 0 dsp->runs = (uint32*) _TIFFmalloc(nruns*sizeof (uint16)); +#endif + /* +Problem +------- + +Decoding the file frle_bug.tif causes a crash (such as with tiff2rgba). + +In particular the array dsp->runs allocated in Fax3SetupState() is overrun +by 4-8 bytes. This occurs when Fax3DecodeRLE() processes the first +scanline. The EXPAND1D() macro advances "pa" to be thisrun+512 (an +alias for dsp->runs), pointing just beyond the end of the array. Then +the call to _TIFFFax3fillruns() does an "*erun++ = 0;" which writes beyond +the end of the array. + +In the short term I have modified the dsp->runs allocation to add eight +extra bytes to the runs buffer; however, I am only doing this because I +don't understand the algorithm well enough to change it without risking +more adverse side effects. + +Frank Warmerdam (warmerda@home.com) + + */ + + dsp->runs = (uint32*) _TIFFmalloc(8+nruns*sizeof (uint32)); + if (dsp->runs == NULL) { TIFFError("Fax3SetupState", "%s: No space for Group 3/4 run arrays", -- 2.45.2