fixed buffer overrun when reading CCITT group 4 compressed TIFF files (patch 646603)

git-svn-id: https://svn.wxwidgets.org/svn/wx/wxWidgets/trunk@18459 c3d73ce0-8a6f-49c7-b76d-6d57e0e08775

src/tiff/tif_fax3.c

@@ -499,32 +499,7 @@ Fax3SetupState(TIFF* tif)
 		uint32 nruns = needsRefLine ?
 		     2*TIFFroundup(rowpixels,32) : rowpixels;
 
-#if 0
+		dsp->runs = (uint32*) _TIFFmalloc((2*nruns+3)*sizeof (uint32));
-		dsp->runs = (uint32*) _TIFFmalloc(nruns*sizeof (uint16));
-#endif
-                /* 
-Problem
--------
-
-Decoding the file frle_bug.tif causes a crash (such as with tiff2rgba). 
-
-In particular the array dsp->runs allocated in Fax3SetupState() is overrun 
-by 4-8 bytes.  This occurs when Fax3DecodeRLE() processes the first
-scanline.  The EXPAND1D() macro advances "pa" to be thisrun+512 (an
-alias for dsp->runs), pointing just beyond the end of the array.  Then 
-the call to _TIFFFax3fillruns() does an "*erun++ = 0;" which writes beyond 
-the end of the array.
-
-In the short term I have modified the dsp->runs allocation to add eight
-extra bytes to the runs buffer; however, I am only doing this because I
-don't understand the algorithm well enough to change it without risking
-more adverse side effects.
-
-Frank Warmerdam (warmerda@home.com)
-
-                */
-
-		dsp->runs = (uint32*) _TIFFmalloc(8+nruns*sizeof (uint32));
 
 		if (dsp->runs == NULL) {
 			TIFFError("Fax3SetupState",