summary refs log tree commit diff
path: root/gnu/packages/patches/libtiff-CVE-2014-8128-pt1.patch
diff options
context:
space:
mode:
Diffstat (limited to 'gnu/packages/patches/libtiff-CVE-2014-8128-pt1.patch')
-rw-r--r--gnu/packages/patches/libtiff-CVE-2014-8128-pt1.patch32
1 files changed, 32 insertions, 0 deletions
diff --git a/gnu/packages/patches/libtiff-CVE-2014-8128-pt1.patch b/gnu/packages/patches/libtiff-CVE-2014-8128-pt1.patch
new file mode 100644
index 0000000000..fda018b7bb
--- /dev/null
+++ b/gnu/packages/patches/libtiff-CVE-2014-8128-pt1.patch
@@ -0,0 +1,32 @@
+Copied from Debian
+
+From 3206e0c752a62da1ae606867113ed3bf9bf73306 Mon Sep 17 00:00:00 2001
+From: erouault <erouault>
+Date: Sun, 21 Dec 2014 19:53:59 +0000
+Subject: [PATCH] * tools/thumbnail.c: fix out-of-buffer write
+ http://bugzilla.maptools.org/show_bug.cgi?id=2489 (CVE-2014-8128)
+
+---
+ ChangeLog         | 5 +++++
+ tools/thumbnail.c | 8 +++++++-
+ 2 files changed, 12 insertions(+), 1 deletion(-)
+
+diff --git a/tools/thumbnail.c b/tools/thumbnail.c
+index fab63f6..c50bbff 100644
+--- a/tools/thumbnail.c
++++ b/tools/thumbnail.c
+@@ -568,7 +568,13 @@ setImage1(const uint8* br, uint32 rw, uint32 rh)
+ 	    err -= limit;
+ 	    sy++;
+ 	    if (err >= limit)
+-		rows[nrows++] = br + bpr*sy;
++		{
++			/* We should perhaps error loudly, but I can't make sense of that */
++			/* code... */
++			if( nrows == 256 )
++				break;
++			rows[nrows++] = br + bpr*sy;
++		}
+ 	}
+ 	setrow(row, nrows, rows);
+ 	row += tnw;
generated by cgit-pink 1.4.1 (git 2.36.1) at 2025-02-20 11:53:03 +0000