Fix two divide-by-zero bugs in readSeparateTilesIntoBuffer(): http://bugzilla.maptools.org/show_bug.cgi?id=2597 http://bugzilla.maptools.org/show_bug.cgi?id=2607 2016-12-03 Even Rouault * tools/tiffcp.c: avoid potential division by zero is BitsPerSamples tag is missing. Reported by Agostino sarubbo. Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2597 /cvs/maptools/cvsroot/libtiff/ChangeLog,v <-- ChangeLog new revision: 1.1183; previous revision: 1.1182 /cvs/maptools/cvsroot/libtiff/tools/tiffcp.c,v <-- tools/tiffcp.c new revision: 1.57; previous revision: 1.56 Index: libtiff/tools/tiffcp.c =================================================================== RCS file: /cvs/maptools/cvsroot/libtiff/tools/tiffcp.c,v retrieving revision 1.56 retrieving revision 1.57 diff -u -r1.56 -r1.57 --- libtiff/tools/tiffcp.c 2 Dec 2016 22:13:32 -0000 1.56 +++ libtiff/tools/tiffcp.c 3 Dec 2016 14:42:40 -0000 1.57 @@ -1,4 +1,4 @@ -/* $Id: tiffcp.c,v 1.56 2016-12-02 22:13:32 erouault Exp $ */ +/* $Id: tiffcp.c,v 1.57 2016-12-03 14:42:40 erouault Exp $ */ /* * Copyright (c) 1988-1997 Sam Leffler @@ -1378,7 +1378,7 @@ uint8* bufp = (uint8*) buf; uint32 tw, tl; uint32 row; - uint16 bps, bytes_per_sample; + uint16 bps = 0, bytes_per_sample; tilebuf = _TIFFmalloc(tilesize); if (tilebuf == 0) @@ -1387,6 +1387,12 @@ (void) TIFFGetField(in, TIFFTAG_TILEWIDTH, &tw); (void) TIFFGetField(in, TIFFTAG_TILELENGTH, &tl); (void) TIFFGetField(in, TIFFTAG_BITSPERSAMPLE, &bps); + if( bps == 0 ) + { + TIFFError(TIFFFileName(in), "Error, cannot read BitsPerSample"); + status = 0; + goto done; + } assert( bps % 8 == 0 ); bytes_per_sample = bps/8; 2016-12-03 Even Rouault * tools/tiffcp.c: avoid potential division by zero is BitsPerSamples tag is missing. Reported by Agostino Sarubbo. Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2607 /cvs/maptools/cvsroot/libtiff/ChangeLog,v <-- ChangeLog new revision: 1.1186; previous revision: 1.1185 /cvs/maptools/cvsroot/libtiff/tools/tiffcp.c,v <-- tools/tiffcp.c new revision: 1.58; previous revision: 1.57 Index: libtiff/tools/tiffcp.c =================================================================== RCS file: /cvs/maptools/cvsroot/libtiff/tools/tiffcp.c,v retrieving revision 1.57 retrieving revision 1.58 diff -u -r1.57 -r1.58 --- libtiff/tools/tiffcp.c 3 Dec 2016 14:42:40 -0000 1.57 +++ libtiff/tools/tiffcp.c 3 Dec 2016 15:44:15 -0000 1.58 @@ -1,4 +1,4 @@ -/* $Id: tiffcp.c,v 1.57 2016-12-03 14:42:40 erouault Exp $ */ +/* $Id: tiffcp.c,v 1.58 2016-12-03 15:44:15 erouault Exp $ */ /* * Copyright (c) 1988-1997 Sam Leffler @@ -1569,7 +1569,7 @@ uint8* bufp = (uint8*) buf; uint32 tl, tw; uint32 row; - uint16 bps, bytes_per_sample; + uint16 bps = 0, bytes_per_sample; obuf = _TIFFmalloc(TIFFTileSize(out)); if (obuf == NULL) @@ -1578,6 +1578,12 @@ (void) TIFFGetField(out, TIFFTAG_TILELENGTH, &tl); (void) TIFFGetField(out, TIFFTAG_TILEWIDTH, &tw); (void) TIFFGetField(out, TIFFTAG_BITSPERSAMPLE, &bps); + if( bps == 0 ) + { + TIFFError(TIFFFileName(out), "Error, cannot read BitsPerSample"); + _TIFFfree(obuf); + return 0; + } assert( bps % 8 == 0 ); bytes_per_sample = bps/8;