| OLD | NEW |
| (Empty) | |
| 1 diff --git a/third_party/libtiff/tif_pixarlog.c b/third_party/libtiff/tif_pixarl
og.c |
| 2 index b93b4c7..0674fa4 100644 |
| 3 --- a/third_party/libtiff/tif_pixarlog.c |
| 4 +++ b/third_party/libtiff/tif_pixarlog.c |
| 5 @@ -457,6 +457,7 @@ horizontalAccumulate8abgr(uint16 *wp, int n, int stride, uns
igned char *op, |
| 6 typedef struct { |
| 7 TIFFPredictorState predict; |
| 8 z_stream stream; |
| 9 + tmsize_t tbuf_size; /* only set/used on reading for now *
/ |
| 10 uint16 *tbuf; |
| 11 uint16 stride; |
| 12 int state; |
| 13 @@ -692,6 +693,7 @@ PixarLogSetupDecode(TIFF* tif) |
| 14 sp->tbuf = (uint16 *) _TIFFmalloc(tbuf_size); |
| 15 if (sp->tbuf == NULL) |
| 16 return (0); |
| 17 + sp->tbuf_size = tbuf_size; |
| 18 if (sp->user_datafmt == PIXARLOGDATAFMT_UNKNOWN) |
| 19 sp->user_datafmt = PixarLogGuessDataFmt(td); |
| 20 if (sp->user_datafmt == PIXARLOGDATAFMT_UNKNOWN) { |
| 21 @@ -781,6 +783,12 @@ PixarLogDecode(TIFF* tif, uint8* op, tmsize_t occ, uint16 s
) |
| 22 TIFFErrorExt(tif->tif_clientdata, module, "ZLib cannot deal with
buffers this size"); |
| 23 return (0); |
| 24 } |
| 25 + /* Check that we will not fill more than what was allocated */ |
| 26 + if (sp->stream.avail_out > sp->tbuf_size) |
| 27 + { |
| 28 + TIFFErrorExt(tif->tif_clientdata, module, "sp->stream.avail_out
> sp->tbuf_size"); |
| 29 + return (0); |
| 30 + } |
| 31 do { |
| 32 int state = inflate(&sp->stream, Z_PARTIAL_FLUSH); |
| 33 if (state == Z_STREAM_END) { |
| OLD | NEW |