Fix CVE-2016-10094: http://bugzilla.maptools.org/show_bug.cgi?id=2640 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10094 https://security-tracker.debian.org/tracker/CVE-2016-10094 2016-12-20 Even Rouault * tools/tiff2pdf.c: avoid potential heap-based overflow in t2p_readwrite_pdf_image_tile(). Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2640 /cvs/maptools/cvsroot/libtiff/ChangeLog,v <-- ChangeLog new revision: 1.1199; previous revision: 1.1198 /cvs/maptools/cvsroot/libtiff/tools/tiff2pdf.c,v <-- tools/tiff2pdf.c new revision: 1.101; previous revision: 1.100 Index: libtiff/tools/tiff2pdf.c =================================================================== RCS file: /cvs/maptools/cvsroot/libtiff/tools/tiff2pdf.c,v retrieving revision 1.100 retrieving revision 1.101 diff -u -r1.100 -r1.101 --- libtiff/tools/tiff2pdf.c 20 Dec 2016 17:24:35 -0000 1.100 +++ libtiff/tools/tiff2pdf.c 20 Dec 2016 17:28:17 -0000 1.101 @@ -2895,7 +2895,7 @@ return(0); } if(TIFFGetField(input, TIFFTAG_JPEGTABLES, &count, &jpt) != 0) { - if (count >= 4) { + if (count > 4) { int retTIFFReadRawTile; /* Ignore EOI marker of JpegTables */ _TIFFmemcpy(buffer, jpt, count - 2);