diff options
| author | Mark H Weaver <mhw@netris.org> | 2016-01-28 07:29:13 -0500 |
|---|---|---|
| committer | Mark H Weaver <mhw@netris.org> | 2016-01-28 07:29:13 -0500 |
| commit | 593c366bded5d5f6638a3e80edb1c6e473149fce (patch) | |
| tree | eb58d26a878a22c79931fd8cfc2479dea28ab0a6 /gnu/packages/patches/libtiff-oob-write-in-nextdecode.patch | |
| parent | 133056bd743e4a3d534a4e4ba9ed83dbbfbfbd19 (diff) | |
| parent | 29a780147d066d5ce218d1fa2678a0a36a1145e3 (diff) | |
| download | guix-593c366bded5d5f6638a3e80edb1c6e473149fce.tar.gz | |
Merge branch 'core-updates'
Diffstat (limited to 'gnu/packages/patches/libtiff-oob-write-in-nextdecode.patch')
| -rw-r--r-- | gnu/packages/patches/libtiff-oob-write-in-nextdecode.patch | 49 |
1 files changed, 49 insertions, 0 deletions
diff --git a/gnu/packages/patches/libtiff-oob-write-in-nextdecode.patch b/gnu/packages/patches/libtiff-oob-write-in-nextdecode.patch new file mode 100644 index 0000000000..50657b667c --- /dev/null +++ b/gnu/packages/patches/libtiff-oob-write-in-nextdecode.patch @@ -0,0 +1,49 @@ +2015-12-27 Even Rouault <even.rouault at spatialys.com> + + * libtiff/tif_next.c: fix potential out-of-bound write in NeXTDecode() + triggered by http://lcamtuf.coredump.cx/afl/vulns/libtiff5.tif + (bugzilla #2508) + +diff -u -r1.16 -r1.18 +--- libtiff/libtiff/tif_next.c 29 Dec 2014 12:09:11 -0000 1.16 ++++ libtiff/libtiff/tif_next.c 27 Dec 2015 17:14:52 -0000 1.18 +@@ -1,4 +1,4 @@ +-/* $Id: tif_next.c,v 1.16 2014-12-29 12:09:11 erouault Exp $ */ ++/* $Id: tif_next.c,v 1.18 2015-12-27 17:14:52 erouault Exp $ */ + + /* + * Copyright (c) 1988-1997 Sam Leffler +@@ -37,7 +37,7 @@ + case 0: op[0] = (unsigned char) ((v) << 6); break; \ + case 1: op[0] |= (v) << 4; break; \ + case 2: op[0] |= (v) << 2; break; \ +- case 3: *op++ |= (v); break; \ ++ case 3: *op++ |= (v); op_offset++; break; \ + } \ + } + +@@ -103,6 +103,7 @@ + } + default: { + uint32 npixels = 0, grey; ++ tmsize_t op_offset = 0; + uint32 imagewidth = tif->tif_dir.td_imagewidth; + if( isTiled(tif) ) + imagewidth = tif->tif_dir.td_tilewidth; +@@ -122,10 +123,15 @@ + * bounds, potentially resulting in a security + * issue. + */ +- while (n-- > 0 && npixels < imagewidth) ++ while (n-- > 0 && npixels < imagewidth && op_offset < scanline) + SETPIXEL(op, grey); + if (npixels >= imagewidth) + break; ++ if (op_offset >= scanline ) { ++ TIFFErrorExt(tif->tif_clientdata, module, "Invalid data for scanline %ld", ++ (long) tif->tif_row); ++ return (0); ++ } + if (cc == 0) + goto bad; + n = *bp++, cc--; |