blob: 760c9553d98ce1cd3c9caee6b851c70e07c3e9e5 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
|
Based on http://bugzilla.maptools.org/show_bug.cgi?id=2750#c5
diff --git a/tools/pal2rgb.c b/tools/pal2rgb.c
index 7a57800..8443fce 100644
--- a/tools/pal2rgb.c
+++ b/tools/pal2rgb.c
@@ -184,8 +184,19 @@ main(int argc, char* argv[])
{ unsigned char *ibuf, *obuf;
register unsigned char* pp;
register uint32 x;
- ibuf = (unsigned char*)_TIFFmalloc(TIFFScanlineSize(in));
- obuf = (unsigned char*)_TIFFmalloc(TIFFScanlineSize(out));
+ tmsize_t tss_in = TIFFScanlineSize(in);
+ tmsize_t tss_out = TIFFScanlineSize(out);
+ if (tss_out / tss_in < 3) {
+ /*
+ * BUG 2750: The following code assumes the output buffer is 3x the
+ * length of the input buffer due to exploding the palette into
+ * RGB tuples. If this doesn't happen, fail now.
+ */
+ fprintf(stderr, "Could not determine correct image size for output. Exiting.\n");
+ return -1;
+ }
+ ibuf = (unsigned char*)_TIFFmalloc(tss_in);
+ obuf = (unsigned char*)_TIFFmalloc(tss_out);
switch (config) {
case PLANARCONFIG_CONTIG:
for (row = 0; row < imagelength; row++) {
|
