LILiK
/
openwrt-packages-dist
5
0
Fork 0
Code Issues 0 Pull Requests 0 Projects 0 Releases 0 Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
7725 Commits
1 Branch
46 MiB
Tree: 658ffbb3fd
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from '658ffbb3fd'
${ noResults }
openwrt-packages-dist/libs/tiff/patches/106-CVE.patch

65 lines
2.3 KiB
Raw Normal View History

tiff: update to version 4.0.7 with CVE fixes Signed-off-by: Jiri Slachta <jiri@slachta.eu>
8 years ago
 
  1. commit 17d56c24c10ed300233164cc51380979124d6dd8
  2. Author: erouault <erouault>
  3. Date:   Sat Dec 3 12:19:32 2016 +0000
  4. 

  5.     * tools/tiffcrop.c: add 3 extra bytes at end of strip buffer in
  6.     readSeparateStripsIntoBuffer() to avoid read outside of heap allocated buffer.
  7.     Reported by Agostino Sarubbo.
  8.     Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2621
  9. 

  10. diff --git a/ChangeLog b/ChangeLog

  11. index d6a416b..50db803 100644

  12. --- a/ChangeLog

  13. +++ b/ChangeLog

  14. @@ -1,5 +1,12 @@

  15.  2016-12-03 Even Rouault <even.rouault at spatialys.com>
  16.  
  17. +	* tools/tiffcrop.c: add 3 extra bytes at end of strip buffer in

  18. +	readSeparateStripsIntoBuffer() to avoid read outside of heap allocated buffer.

  19. +	Reported by Agostino Sarubbo.

  20. +	Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2621

  21. +

  22. +2016-12-03 Even Rouault <even.rouault at spatialys.com>

  23. +

  24.  	* tools/tiffcrop.c: fix readContigStripsIntoBuffer() in -i (ignore) mode so
  25.  	that the output buffer is correctly incremented to avoid write outside bounds.
  26.  	Reported by Agostino Sarubbo.
  27. diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c

  28. index bdcbd63..9122aab 100644

  29. --- a/tools/tiffcrop.c

  30. +++ b/tools/tiffcrop.c

  31. @@ -1,4 +1,4 @@

  32. -/* $Id: tiffcrop.c,v 1.47 2016-12-03 11:35:56 erouault Exp $ */

  33. +/* $Id: tiffcrop.c,v 1.48 2016-12-03 12:19:32 erouault Exp $ */

  34.  
  35.  /* tiffcrop.c -- a port of tiffcp.c extended to include manipulations of
  36.   * the image data through additional options listed below
  37. @@ -4815,10 +4815,17 @@ static int readSeparateStripsIntoBuffer (TIFF *in, uint8 *obuf, uint32 length,

  38.    nstrips = TIFFNumberOfStrips(in);
  39.    strips_per_sample = nstrips /spp;
  40.  
  41. +  /* Add 3 padding bytes for combineSeparateSamples32bits */

  42. +  if( (size_t) stripsize > 0xFFFFFFFFU - 3U )

  43. +  {

  44. +      TIFFError("readSeparateStripsIntoBuffer", "Integer overflow when calculating buffer size.");

  45. +      exit(-1);

  46. +  }

  47. +

  48.    for (s = 0; (s < spp) && (s < MAX_SAMPLES); s++)
  49.      {
  50.      srcbuffs[s] = NULL;
  51. -    buff = _TIFFmalloc(stripsize);

  52. +    buff = _TIFFmalloc(stripsize + 3);

  53.      if (!buff)
  54.        {
  55.        TIFFError ("readSeparateStripsIntoBuffer", 
  56. @@ -4827,6 +4834,9 @@ static int readSeparateStripsIntoBuffer (TIFF *in, uint8 *obuf, uint32 length,

  57.          _TIFFfree (srcbuffs[i]);
  58.        return 0;
  59.        }
  60. +    buff[stripsize] = 0;

  61. +    buff[stripsize+1] = 0;

  62. +    buff[stripsize+2] = 0;

  63.      srcbuffs[s] = buff;
  64.      }
  65.