diff options
Diffstat (limited to 'gnu/packages/patches/libtiff-CVE-2016-3990.patch')
| -rw-r--r-- | gnu/packages/patches/libtiff-CVE-2016-3990.patch | 31 |
1 files changed, 31 insertions, 0 deletions
diff --git a/gnu/packages/patches/libtiff-CVE-2016-3990.patch b/gnu/packages/patches/libtiff-CVE-2016-3990.patch new file mode 100644 index 0000000000..7641c3073b --- /dev/null +++ b/gnu/packages/patches/libtiff-CVE-2016-3990.patch @@ -0,0 +1,31 @@ +Fix CVE-2016-3990 (write buffer overflow in PixarLogEncode if more input +samples are provided than expected by PixarLogSetupEncode). + +https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3990 +http://bugzilla.maptools.org/show_bug.cgi?id=2544 + +Patch extracted from upstream CVS repo with: +$ cvs diff -u -r1.45 -r1.46 libtiff/tif_pixarlog.c + +Index: libtiff/tif_pixarlog.c +=================================================================== +RCS file: /cvs/maptools/cvsroot/libtiff/libtiff/tif_pixarlog.c,v +retrieving revision 1.45 +retrieving revision 1.46 +diff -u -r1.45 -r1.46 +--- libtiff/libtiff/tif_pixarlog.c 28 Jun 2016 15:37:33 -0000 1.45 ++++ libtiff/libtiff/tif_pixarlog.c 15 Aug 2016 20:49:48 -0000 1.46 +@@ -1141,6 +1141,13 @@ + } + + llen = sp->stride * td->td_imagewidth; ++ /* Check against the number of elements (of size uint16) of sp->tbuf */ ++ if( n > td->td_rowsperstrip * llen ) ++ { ++ TIFFErrorExt(tif->tif_clientdata, module, ++ "Too many input bytes provided"); ++ return 0; ++ } + + for (i = 0, up = sp->tbuf; i < n; i += llen, up += llen) { + switch (sp->user_datafmt) { |