Fix CVE-2016-5652 (buffer overflow in t2p_readwrite_pdf_image_tile()). https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5652 Patches exfiltrated from upstream CVS repo with: cvs diff -u -r 1.92 -r 1.94 tools/tiff2pdf.c Index: tools/tiff2pdf.c =================================================================== RCS file: /cvs/maptools/cvsroot/libtiff/tools/tiff2pdf.c,v retrieving revision 1.92 retrieving revision 1.94 diff -u -r1.92 -r1.94 --- a/tools/tiff2pdf.c 23 Sep 2016 22:12:18 -0000 1.92 +++ b/tools/tiff2pdf.c 9 Oct 2016 11:03:36 -0000 1.94 @@ -2887,21 +2887,24 @@ return(0); } if(TIFFGetField(input, TIFFTAG_JPEGTABLES, &count, &jpt) != 0) { - if (count > 0) { - _TIFFmemcpy(buffer, jpt, count); + if (count >= 4) { + /* Ignore EOI marker of JpegTables */ + _TIFFmemcpy(buffer, jpt, count - 2); bufferoffset += count - 2; + /* Store last 2 bytes of the JpegTables */ table_end[0] = buffer[bufferoffset-2]; table_end[1] = buffer[bufferoffset-1]; - } - if (count > 0) { xuint32 = bufferoffset; + bufferoffset -= 2; bufferoffset += TIFFReadRawTile( input, tile, - (tdata_t) &(((unsigned char*)buffer)[bufferoffset-2]), + (tdata_t) &(((unsigned char*)buffer)[bufferoffset]), -1); - buffer[xuint32-2]=table_end[0]; - buffer[xuint32-1]=table_end[1]; + /* Overwrite SOI marker of image scan with previously */ + /* saved end of JpegTables */ + buffer[xuint32-2]=table_end[0]; + buffer[xuint32-1]=table_end[1]; } else { bufferoffset += TIFFReadRawTile( input,