diff -uprk.orig tiff-v3.5.7.orig/libtiff/tif_luv.c tiff-v3.5.7/libtiff/tif_luv.c
--- tiff-v3.5.7.orig/libtiff/tif_luv.c 2001-03-02 07:57:42 +0300
+++ tiff-v3.5.7/libtiff/tif_luv.c 2004-10-04 01:34:44 +0400
@@ -212,11 +212,11 @@ LogL16Decode(TIFF* tif, tidata_t op, tsi
rc = *bp++ + (2-128);
b = (int16)*bp++ << shft;
cc -= 2;
- while (rc--)
+ while (rc-- && i < npixels)
tp[i++] |= b;
} else { /* non-run */
rc = *bp++; /* nul is noop */
- while (--cc && rc--)
+ while (--cc && rc-- && i < npixels)
tp[i++] |= (int16)*bp++ << shft;
}
if (i != npixels) {
@@ -312,11 +312,11 @@ LogLuvDecode32(TIFF* tif, tidata_t op, t
rc = *bp++ + (2-128);
b = (uint32)*bp++ << shft;
cc -= 2;
- while (rc--)
+ while (rc-- && i < npixels)
tp[i++] |= b;
} else { /* non-run */
rc = *bp++; /* nul is noop */
- while (--cc && rc--)
+ while (--cc && rc-- && i < npixels)
tp[i++] |= (uint32)*bp++ << shft;
}
if (i != npixels) {
diff -uprk.orig tiff-v3.5.7.orig/libtiff/tif_next.c tiff-v3.5.7/libtiff/tif_next.c
--- tiff-v3.5.7.orig/libtiff/tif_next.c 1999-11-28 00:43:28 +0300
+++ tiff-v3.5.7/libtiff/tif_next.c 2004-10-04 01:34:44 +0400
@@ -87,7 +87,7 @@ NeXTDecode(TIFF* tif, tidata_t buf, tsiz
*/
off = (bp[0] * 256) + bp[1];
n = (bp[2] * 256) + bp[3];
- if (cc < 4+n)
+ if (cc < 4+n || off+n > scanline)
goto bad;
_TIFFmemcpy(row+off, bp+4, n);
bp += 4+n;
diff -uprk.orig tiff-v3.5.7.orig/libtiff/tif_thunder.c tiff-v3.5.7/libtiff/tif_thunder.c
--- tiff-v3.5.7.orig/libtiff/tif_thunder.c 1999-07-28 01:50:27 +0400
+++ tiff-v3.5.7/libtiff/tif_thunder.c 2004-10-04 01:37:43 +0400
@@ -91,8 +91,10 @@ ThunderDecode(TIFF* tif, tidata_t op, ts
} else
lastpixel |= lastpixel << 4;
npixels += n;
- for (; n > 0; n -= 2)
- *op++ = lastpixel;
+ if (npixels < maxpixels) {
+ for (; n > 0; n -= 2)
+ *op++ = (tidataval_t) lastpixel;
+ }
if (n == -1)
*--op &= 0xf0;
lastpixel &= 0xf;
