readtif, writetif: prevent buffer overflows in some corner cases

author: ppatience0 <ppatience0@gmail.com> 2013-07-20 16:42:33 -0400
committer: ppatience0 <ppatience0@gmail.com> 2013-07-20 16:42:33 -0400
commit: 92b14e72b006f7226f17cad25f92224a96b2e6da (patch)
tree: 89d1efe6e529824a293aee18a987f37f544f5958 /sys/src/cmd/jpg
parent: 105155880c05e0edb112b2b03597c6fab5830429 (diff)
2 files changed, 6 insertions, 4 deletions
diff --git a/sys/src/cmd/jpg/readtif.c b/sys/src/cmd/jpg/readtif.c
index f4c9b9daa..c082a6d19 100644
--- a/sys/src/cmd/jpg/readtif.c
+++ b/sys/src/cmd/jpg/readtif.c
@@ -804,6 +804,8 @@ getfax2d(Fax *f, uchar *data, ulong size, ulong *i, ulong *x,
 			f->st = -1;
 			return nil;
 		}
+		if(j+1 >= f->nl)
+			faxalloclines(f);
 		len = p->len;
 		code = p->code;
 		if(code == 1 && len == 3) {
@@ -852,8 +854,6 @@ getfax2d(Fax *f, uchar *data, ulong size, ulong *i, ulong *x,
 			f->l2[j++] = *x;
 			f->st ^= 1;
 		}
-		if(j >= f->nl)
-			faxalloclines(f);
 		a0 = *x;
 	}
 	memmove(f->l1, f->l2, j*sizeof *f->l1);
diff --git a/sys/src/cmd/jpg/writetif.c b/sys/src/cmd/jpg/writetif.c
index 2c02b5d44..983684e1a 100644
--- a/sys/src/cmd/jpg/writetif.c
+++ b/sys/src/cmd/jpg/writetif.c
@@ -933,6 +933,7 @@ pkbrow(Pkb *p, uchar *data, int ndata, long *buf)
 {
 	int b, repl;
 	long i, j, k, n;
+	ulong m;
 
 	i = n = 0;
 	buf[n++] = i;
@@ -974,8 +975,9 @@ pkbrow(Pkb *p, uchar *data, int ndata, long *buf)
 			i++;
 		if(b == 0)
 			continue;
-		if(p->n+1+(k<0?1:b) > p->ndata) {
-			p->ndata *= 2;
+		m = 1 + (k < 0? 1: b);
+		if(p->n+m > p->ndata) {
+			p->ndata = (p->n + m) * 2;
 			p->data = realloc(p->data,
 				p->ndata*sizeof *p->data);
 			if(p->data == nil)
author	ppatience0 <ppatience0@gmail.com>	2013-07-20 16:42:33 -0400
committer	ppatience0 <ppatience0@gmail.com>	2013-07-20 16:42:33 -0400
commit	92b14e72b006f7226f17cad25f92224a96b2e6da (patch)
tree	89d1efe6e529824a293aee18a987f37f544f5958 /sys/src/cmd/jpg
parent	105155880c05e0edb112b2b03597c6fab5830429 (diff)