diff options
Diffstat (limited to 'gnu/packages/patches/libtiff-CVE-2016-5652.patch')
| -rw-r--r-- | gnu/packages/patches/libtiff-CVE-2016-5652.patch | 47 |
1 files changed, 47 insertions, 0 deletions
diff --git a/gnu/packages/patches/libtiff-CVE-2016-5652.patch b/gnu/packages/patches/libtiff-CVE-2016-5652.patch new file mode 100644 index 0000000000..54b87d0185 --- /dev/null +++ b/gnu/packages/patches/libtiff-CVE-2016-5652.patch @@ -0,0 +1,47 @@ +Fix CVE-2016-5652 (buffer overflow in t2p_readwrite_pdf_image_tile()). + +https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5652 + +Patches exfiltrated from upstream CVS repo with: +cvs diff -u -r 1.92 -r 1.94 tools/tiff2pdf.c + +Index: tools/tiff2pdf.c +=================================================================== +RCS file: /cvs/maptools/cvsroot/libtiff/tools/tiff2pdf.c,v +retrieving revision 1.92 +retrieving revision 1.94 +diff -u -r1.92 -r1.94 +--- a/tools/tiff2pdf.c 23 Sep 2016 22:12:18 -0000 1.92 ++++ b/tools/tiff2pdf.c 9 Oct 2016 11:03:36 -0000 1.94 +@@ -2887,21 +2887,24 @@ + return(0); + } + if(TIFFGetField(input, TIFFTAG_JPEGTABLES, &count, &jpt) != 0) { +- if (count > 0) { +- _TIFFmemcpy(buffer, jpt, count); ++ if (count >= 4) { ++ /* Ignore EOI marker of JpegTables */ ++ _TIFFmemcpy(buffer, jpt, count - 2); + bufferoffset += count - 2; ++ /* Store last 2 bytes of the JpegTables */ + table_end[0] = buffer[bufferoffset-2]; + table_end[1] = buffer[bufferoffset-1]; +- } +- if (count > 0) { + xuint32 = bufferoffset; ++ bufferoffset -= 2; + bufferoffset += TIFFReadRawTile( + input, + tile, +- (tdata_t) &(((unsigned char*)buffer)[bufferoffset-2]), ++ (tdata_t) &(((unsigned char*)buffer)[bufferoffset]), + -1); +- buffer[xuint32-2]=table_end[0]; +- buffer[xuint32-1]=table_end[1]; ++ /* Overwrite SOI marker of image scan with previously */ ++ /* saved end of JpegTables */ ++ buffer[xuint32-2]=table_end[0]; ++ buffer[xuint32-1]=table_end[1]; + } else { + bufferoffset += TIFFReadRawTile( + input, |