From 92b14e72b006f7226f17cad25f92224a96b2e6da Mon Sep 17 00:00:00 2001
From: ppatience0 <ppatience0@gmail.com>
Date: Sat, 20 Jul 2013 16:42:33 -0400
Subject: readtif, writetif: prevent buffer overflows in some corner cases

---
 sys/src/cmd/jpg/readtif.c  | 4 ++--
 sys/src/cmd/jpg/writetif.c | 6 ++++--
 2 files changed, 6 insertions(+), 4 deletions(-)

diff --git a/sys/src/cmd/jpg/readtif.c b/sys/src/cmd/jpg/readtif.c
index f4c9b9daa..c082a6d19 100644
--- a/sys/src/cmd/jpg/readtif.c
+++ b/sys/src/cmd/jpg/readtif.c
@@ -804,6 +804,8 @@ getfax2d(Fax *f, uchar *data, ulong size, ulong *i, ulong *x,
 			f->st = -1;
 			return nil;
 		}
+		if(j+1 >= f->nl)
+			faxalloclines(f);
 		len = p->len;
 		code = p->code;
 		if(code == 1 && len == 3) {
@@ -852,8 +854,6 @@ getfax2d(Fax *f, uchar *data, ulong size, ulong *i, ulong *x,
 			f->l2[j++] = *x;
 			f->st ^= 1;
 		}
-		if(j >= f->nl)
-			faxalloclines(f);
 		a0 = *x;
 	}
 	memmove(f->l1, f->l2, j*sizeof *f->l1);
diff --git a/sys/src/cmd/jpg/writetif.c b/sys/src/cmd/jpg/writetif.c
index 2c02b5d44..983684e1a 100644
--- a/sys/src/cmd/jpg/writetif.c
+++ b/sys/src/cmd/jpg/writetif.c
@@ -933,6 +933,7 @@ pkbrow(Pkb *p, uchar *data, int ndata, long *buf)
 {
 	int b, repl;
 	long i, j, k, n;
+	ulong m;
 
 	i = n = 0;
 	buf[n++] = i;
@@ -974,8 +975,9 @@ pkbrow(Pkb *p, uchar *data, int ndata, long *buf)
 			i++;
 		if(b == 0)
 			continue;
-		if(p->n+1+(k<0?1:b) > p->ndata) {
-			p->ndata *= 2;
+		m = 1 + (k < 0? 1: b);
+		if(p->n+m > p->ndata) {
+			p->ndata = (p->n + m) * 2;
 			p->data = realloc(p->data,
 				p->ndata*sizeof *p->data);
 			if(p->data == nil)
-- 
cgit v1.2.3