diff options
| author | Sebastian Rasmussen <sebras@gmail.com> | 2016-09-27 17:03:31 +0800 |
|---|---|---|
| committer | Sebastian Rasmussen <sebras@gmail.com> | 2016-09-28 00:10:39 +0800 |
| commit | 717f2a55064682e4f7c05125dfa0909b7fe31430 (patch) | |
| tree | aa42d1bc227de2081dd1e345621087a2015bef3d /source/fitz | |
| parent | 9eb9cee0c05de9305d007671693f92b7ad1a7cd4 (diff) | |
| download | mupdf-717f2a55064682e4f7c05125dfa0909b7fe31430.tar.xz | |
Bug 697165: tiff: Do not allow duplicate array tags.
Previously this caused a memory leak.
Diffstat (limited to 'source/fitz')
| -rw-r--r-- | source/fitz/load-tiff.c | 12 |
1 files changed, 12 insertions, 0 deletions
diff --git a/source/fitz/load-tiff.c b/source/fitz/load-tiff.c index 09f6f88b..59b86b92 100644 --- a/source/fitz/load-tiff.c +++ b/source/fitz/load-tiff.c @@ -726,6 +726,8 @@ fz_read_tiff_tag(fz_context *ctx, struct tiff *tiff, unsigned offset) break; case ICCProfile: + if (tiff->profile) + fz_throw(ctx, FZ_ERROR_GENERIC, "at most one ICC profile tag allowed"); tiff->profile = fz_malloc(ctx, count); /* ICC profile data type is set to UNDEFINED. * TBYTE reading not correct in fz_read_tiff_tag_value */ @@ -739,18 +741,24 @@ fz_read_tiff_tag(fz_context *ctx, struct tiff *tiff, unsigned offset) break; case StripOffsets: + if (tiff->stripoffsets) + fz_throw(ctx, FZ_ERROR_GENERIC, "at most one strip offsets tag allowed"); tiff->stripoffsets = fz_malloc_array(ctx, count, sizeof(unsigned)); fz_read_tiff_tag_value(tiff->stripoffsets, tiff, type, value, count); tiff->stripoffsetslen = count; break; case StripByteCounts: + if (tiff->stripbytecounts) + fz_throw(ctx, FZ_ERROR_GENERIC, "at most one strip byte counts tag allowed"); tiff->stripbytecounts = fz_malloc_array(ctx, count, sizeof(unsigned)); fz_read_tiff_tag_value(tiff->stripbytecounts, tiff, type, value, count); tiff->stripbytecountslen = count; break; case ColorMap: + if (tiff->colormap) + fz_throw(ctx, FZ_ERROR_GENERIC, "at most one color map allowed"); tiff->colormap = fz_malloc_array(ctx, count, sizeof(unsigned)); fz_read_tiff_tag_value(tiff->colormap, tiff, type, value, count); tiff->colormaplen = count; @@ -765,12 +773,16 @@ fz_read_tiff_tag(fz_context *ctx, struct tiff *tiff, unsigned offset) break; case TileOffsets: + if (tiff->tileoffsets) + fz_throw(ctx, FZ_ERROR_GENERIC, "at most one tile offsets tag allowed"); tiff->tileoffsets = fz_malloc_array(ctx, count, sizeof(unsigned)); fz_read_tiff_tag_value(tiff->tileoffsets, tiff, type, value, count); tiff->tileoffsetslen = count; break; case TileByteCounts: + if (tiff->tileoffsets) + fz_throw(ctx, FZ_ERROR_GENERIC, "at most one tile byte counts tag allowed"); tiff->tilebytecounts = fz_malloc_array(ctx, count, sizeof(unsigned)); fz_read_tiff_tag_value(tiff->tilebytecounts, tiff, type, value, count); tiff->tilebytecountslen = count; |