summaryrefslogtreecommitdiff
path: root/gnu/packages/patches/libtiff-CVE-2014-9655.patch
diff options
context:
space:
mode:
Diffstat (limited to 'gnu/packages/patches/libtiff-CVE-2014-9655.patch')
-rw-r--r--gnu/packages/patches/libtiff-CVE-2014-9655.patch88
1 files changed, 88 insertions, 0 deletions
diff --git a/gnu/packages/patches/libtiff-CVE-2014-9655.patch b/gnu/packages/patches/libtiff-CVE-2014-9655.patch
new file mode 100644
index 0000000000..065804d03a
--- /dev/null
+++ b/gnu/packages/patches/libtiff-CVE-2014-9655.patch
@@ -0,0 +1,88 @@
+Copied from Debian
+
+From 40a5955cbf0df62b1f9e9bd7d9657b0070725d19 Mon Sep 17 00:00:00 2001
+From: erouault <erouault>
+Date: Mon, 29 Dec 2014 12:09:11 +0000
+Subject: [PATCH] * libtiff/tif_next.c: add new tests to check that we don't
+ read outside of the compressed input stream buffer.
+
+* libtiff/tif_getimage.c: in OJPEG case, fix checks on strile width/height
+---
+ ChangeLog | 9 +++++++++
+ libtiff/tif_getimage.c | 12 +++++++-----
+ libtiff/tif_next.c | 4 +++-
+ 3 files changed, 19 insertions(+), 6 deletions(-)
+
+diff --git a/libtiff/tif_getimage.c b/libtiff/tif_getimage.c
+index a4f46d9..3ad8ee7 100644
+--- a/libtiff/tif_getimage.c
++++ b/libtiff/tif_getimage.c
+@@ -1871,7 +1871,7 @@ DECLAREContigPutFunc(putcontig8bitYCbCr42tile)
+
+ (void) y;
+ fromskew = (fromskew * 10) / 4;
+- if ((h & 3) == 0 && (w & 1) == 0) {
++ if ((w & 3) == 0 && (h & 1) == 0) {
+ for (; h >= 2; h -= 2) {
+ x = w>>2;
+ do {
+@@ -1948,7 +1948,7 @@ DECLAREContigPutFunc(putcontig8bitYCbCr41tile)
+ /* XXX adjust fromskew */
+ do {
+ x = w>>2;
+- do {
++ while(x>0) {
+ int32 Cb = pp[4];
+ int32 Cr = pp[5];
+
+@@ -1959,7 +1959,8 @@ DECLAREContigPutFunc(putcontig8bitYCbCr41tile)
+
+ cp += 4;
+ pp += 6;
+- } while (--x);
++ x--;
++ }
+
+ if( (w&3) != 0 )
+ {
+@@ -2050,7 +2051,7 @@ DECLAREContigPutFunc(putcontig8bitYCbCr21tile)
+ fromskew = (fromskew * 4) / 2;
+ do {
+ x = w>>1;
+- do {
++ while(x>0) {
+ int32 Cb = pp[2];
+ int32 Cr = pp[3];
+
+@@ -2059,7 +2060,8 @@ DECLAREContigPutFunc(putcontig8bitYCbCr21tile)
+
+ cp += 2;
+ pp += 4;
+- } while (--x);
++ x --;
++ }
+
+ if( (w&1) != 0 )
+ {
+diff --git a/libtiff/tif_next.c b/libtiff/tif_next.c
+index d834196..dd669cc 100644
+--- a/libtiff/tif_next.c
++++ b/libtiff/tif_next.c
+@@ -71,7 +71,7 @@ NeXTDecode(TIFF* tif, uint8* buf, tmsize_t occ, uint16 s)
+ TIFFErrorExt(tif->tif_clientdata, module, "Fractional scanlines cannot be read");
+ return (0);
+ }
+- for (row = buf; occ > 0; occ -= scanline, row += scanline) {
++ for (row = buf; cc > 0 && occ > 0; occ -= scanline, row += scanline) {
+ n = *bp++, cc--;
+ switch (n) {
+ case LITERALROW:
+@@ -90,6 +90,8 @@ NeXTDecode(TIFF* tif, uint8* buf, tmsize_t occ, uint16 s)
+ * The scanline has a literal span that begins at some
+ * offset.
+ */
++ if( cc < 4 )
++ goto bad;
+ off = (bp[0] * 256) + bp[1];
+ n = (bp[2] * 256) + bp[3];
+ if (cc < 4+n || off+n > scanline)
generated by cgit v1.2.3 (git 2.46.2) at 2024-11-13 08:25:08 +0000