diff options
Diffstat (limited to 'fitz/image_tiff.c')
| -rw-r--r-- | fitz/image_tiff.c | 16 |
1 files changed, 15 insertions, 1 deletions
diff --git a/fitz/image_tiff.c b/fitz/image_tiff.c index 2176062c..5b154c3e 100644 --- a/fitz/image_tiff.c +++ b/fitz/image_tiff.c @@ -27,6 +27,10 @@ struct tiff /* colormap */ unsigned *colormap; + unsigned stripoffsetslen; + unsigned stripbytecountslen; + unsigned colormaplen; + /* assorted tags */ unsigned subfiletype; unsigned photometric; @@ -280,6 +284,9 @@ fz_expand_tiff_colormap(struct tiff *tiff) if (tiff->bitspersample != 4 && tiff->bitspersample != 8) fz_throw(tiff->ctx, "invalid number of bits for RGBPal"); + if (tiff->colormaplen < (unsigned)maxval * 3) + fz_throw(tiff->ctx, "insufficient colormap data"); + stride = tiff->imagewidth * (tiff->samplesperpixel + 2); samples = fz_malloc(tiff->ctx, stride * tiff->imagelength); @@ -336,9 +343,13 @@ fz_decode_tiff_strips(struct tiff *tiff) unsigned strip; unsigned i; - if (!tiff->rowsperstrip || !tiff->stripoffsets || !tiff->rowsperstrip) + if (!tiff->rowsperstrip || !tiff->stripoffsets || !tiff->stripbytecounts) fz_throw(tiff->ctx, "no image data in tiff; maybe it is tiled"); + if (tiff->stripoffsetslen < (tiff->imagelength - 1) / tiff->rowsperstrip + 1 || + tiff->stripbytecountslen < (tiff->imagelength - 1) / tiff->rowsperstrip + 1) + fz_throw(tiff->ctx, "insufficient strip offset data"); + if (tiff->planar != 1) fz_throw(tiff->ctx, "image data is not in chunky format"); @@ -657,16 +668,19 @@ fz_read_tiff_tag(struct tiff *tiff, unsigned offset) case StripOffsets: tiff->stripoffsets = fz_malloc_array(tiff->ctx, count, sizeof(unsigned)); fz_read_tiff_tag_value(tiff->stripoffsets, tiff, type, value, count); + tiff->stripoffsetslen = count; break; case StripByteCounts: tiff->stripbytecounts = fz_malloc_array(tiff->ctx, count, sizeof(unsigned)); fz_read_tiff_tag_value(tiff->stripbytecounts, tiff, type, value, count); + tiff->stripbytecountslen = count; break; case ColorMap: tiff->colormap = fz_malloc_array(tiff->ctx, count, sizeof(unsigned)); fz_read_tiff_tag_value(tiff->colormap, tiff, type, value, count); + tiff->colormaplen = count; break; case TileWidth: |