From 793c13601575967fdad69f15fea8e200a436ba9d Mon Sep 17 00:00:00 2001
From: Sebastian Rasmussen <sebras@gmail.com>
Date: Tue, 27 Sep 2016 22:05:47 +0800
Subject: tiff: Do not clobber input buffer if fill order is reversed.

---
 source/fitz/load-tiff.c | 13 +++++++------
 1 file changed, 7 insertions(+), 6 deletions(-)

(limited to 'source')

diff --git a/source/fitz/load-tiff.c b/source/fitz/load-tiff.c
index 8651c2c0..2e235c94 100644
--- a/source/fitz/load-tiff.c
+++ b/source/fitz/load-tiff.c
@@ -353,14 +353,19 @@ fz_decode_tiff_chunk(fz_context *ctx, struct tiff *tiff, unsigned char *rp, unsi
 {
 	fz_stream *stm;
 	unsigned i, size;
+	unsigned char *reversed = NULL;
 
 	if (rp + rlen > tiff->ep)
 		fz_throw(ctx, FZ_ERROR_GENERIC, "strip extends beyond the end of the file");
 
 	/* the bits are in un-natural order */
 	if (tiff->fillorder == 2)
+	{
+		reversed = fz_malloc(ctx, rlen);
 		for (i = 0; i < rlen; i++)
-			rp[i] = bitrev[rp[i]];
+			reversed[i] = bitrev[rp[i]];
+		rp = reversed;
+	}
 
 	fz_try(ctx)
 	{
@@ -430,15 +435,11 @@ fz_decode_tiff_chunk(fz_context *ctx, struct tiff *tiff, unsigned char *rp, unsi
 	fz_always(ctx)
 	{
 		fz_drop_stream(ctx, stm);
+		fz_free(ctx, reversed);
 	}
 	fz_catch(ctx)
 		fz_rethrow(ctx);
 
-	/* scramble the bits back into original order */
-	if (tiff->fillorder == 2)
-		for (i = 0; i < rlen; i++)
-			rp[i] = bitrev[rp[i]];
-
 	return size;
 }
 
-- 
cgit v1.2.3