From 6c39dd63dc4f91b358155c173a2cfdf4c6c5af3e Mon Sep 17 00:00:00 2001 From: scuri Date: Fri, 21 Aug 2009 04:01:59 +0000 Subject: *** empty log message *** --- src/libtiff/tif_next.c | 39 +++++++++++++++++++++------------------ 1 file changed, 21 insertions(+), 18 deletions(-) (limited to 'src/libtiff/tif_next.c') diff --git a/src/libtiff/tif_next.c b/src/libtiff/tif_next.c index 7223f7b..3cb0085 100644 --- a/src/libtiff/tif_next.c +++ b/src/libtiff/tif_next.c @@ -1,4 +1,4 @@ -/* $Id: tif_next.c,v 1.1 2008/10/17 06:16:07 scuri Exp $ */ +/* $Id: tif_next.c,v 1.2 2009/08/21 04:01:59 scuri Exp $ */ /* * Copyright (c) 1988-1997 Sam Leffler @@ -48,11 +48,10 @@ static int NeXTDecode(TIFF* tif, tidata_t buf, tsize_t occ, tsample_t s) { - register unsigned char *bp, *op; - register tsize_t cc; - register int n; + unsigned char *bp, *op; + tsize_t cc; tidata_t row; - tsize_t scanline; + tsize_t scanline, n; (void) s; /* @@ -66,7 +65,7 @@ NeXTDecode(TIFF* tif, tidata_t buf, tsize_t occ, tsample_t s) bp = (unsigned char *)tif->tif_rawcp; cc = tif->tif_rawcc; scanline = tif->tif_scanlinesize; - for (row = buf; (long)occ > 0; occ -= scanline, row += scanline) { + for (row = buf; occ > 0; occ -= scanline, row += scanline) { n = *bp++, cc--; switch (n) { case LITERALROW: @@ -80,10 +79,10 @@ NeXTDecode(TIFF* tif, tidata_t buf, tsize_t occ, tsample_t s) cc -= scanline; break; case LITERALSPAN: { - int off; + tsize_t off; /* - * The scanline has a literal span - * that begins at some offset. + * The scanline has a literal span that begins at some + * offset. */ off = (bp[0] * 256) + bp[1]; n = (bp[2] * 256) + bp[3]; @@ -95,23 +94,27 @@ NeXTDecode(TIFF* tif, tidata_t buf, tsize_t occ, tsample_t s) break; } default: { - register int npixels = 0, grey; - unsigned long imagewidth = tif->tif_dir.td_imagewidth; + uint32 npixels = 0, grey; + uint32 imagewidth = tif->tif_dir.td_imagewidth; /* - * The scanline is composed of a sequence - * of constant color ``runs''. We shift - * into ``run mode'' and interpret bytes - * as codes of the form - * until we've filled the scanline. + * The scanline is composed of a sequence of constant + * color ``runs''. We shift into ``run mode'' and + * interpret bytes as codes of the form + * until we've filled the scanline. */ op = row; for (;;) { grey = (n>>6) & 0x3; n &= 0x3f; - while (n-- > 0) + /* + * Ensure the run does not exceed the scanline + * bounds, potentially resulting in a security + * issue. + */ + while (n-- > 0 && npixels < imagewidth) SETPIXEL(op, grey); - if (npixels >= (int) imagewidth) + if (npixels >= imagewidth) break; if (cc == 0) goto bad; -- cgit v1.2.3