--- Begin Message ---
|
Subject: |
off-by-one count in tiff_load |
|
Date: |
Wed, 23 Mar 2011 23:33:11 -0700 |
|
User-agent: |
Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.2.14) Gecko/20110223 Thunderbird/3.1.8 |
src/image.c's tiff_load function counts the number of images in the
TIFF file incorrectly. It always reports one more image than is
actually present.
This bug was found by static analysis, using gcc -Wstrict-overflow
(GCC 4.5.2, x86-64).
I plan to fix it with the following patch.
* image.c (tiff_load): Fix off-by-one image count.
=== modified file 'src/image.c'
--- src/image.c 2011-03-13 08:04:44 +0000
+++ src/image.c 2011-03-24 04:31:06 +0000
@@ -6754,7 +6754,7 @@
TIFF *tiff;
int width, height, x, y, count;
uint32 *buf;
- int rc, rc2;
+ int rc;
XImagePtr ximg;
tiff_memory_source memsrc;
Lisp_Object image;
@@ -6842,8 +6842,8 @@
rc = fn_TIFFReadRGBAImage (tiff, width, height, buf, 0);
/* Count the number of images in the file. */
- for (count = 1, rc2 = 1; rc2; count++)
- rc2 = fn_TIFFSetDirectory (tiff, count);
+ for (count = 1; fn_TIFFSetDirectory (tiff, count); count++)
+ continue;
if (count > 1)
img->data.lisp_val = Fcons (Qcount,
--- End Message ---
--- Begin Message ---
|
Subject: |
fix merged to trunk |
|
Date: |
Tue, 29 Mar 2011 17:53:19 -0700 |
|
User-agent: |
Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.2.14) Gecko/20110223 Thunderbird/3.1.8 |
I committed a fix to the trunk for this,
as part of a recent merge (bzr 103776).
For Bug#8344, the merge uses size_t rather
than EMACS_INT for argument counts as I proposed earlier,
since the argument counts are always nonnegative
and are limited just by sizes that can be counted
at the C level.
--- End Message ---