LILiK
/
openwrt-packages-dist
5
0
Fork 0
Code Issues 0 Pull Requests 0 Projects 0 Releases 0 Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
7725 Commits
1 Branch
46 MiB
Tree: 658ffbb3fd
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from '658ffbb3fd'
${ noResults }
openwrt-packages-dist/libs/tiff/patches/116-CVE-2017-5225.patch

84 lines
2.9 KiB
Raw Normal View History

tiff: update to version 4.0.7 with CVE fixes Signed-off-by: Jiri Slachta <jiri@slachta.eu>
8 years ago
 
  1. From 5c080298d59efa53264d7248bbe3a04660db6ef7 Mon Sep 17 00:00:00 2001
  2. From: erouault <erouault>
  3. Date: Wed, 11 Jan 2017 19:25:44 +0000
  4. Subject: [PATCH] * tools/tiffcp.c: error out cleanly in cpContig2SeparateByRow
  5.  and cpSeparate2ContigByRow if BitsPerSample != 8 to avoid heap based
  6.  overflow. Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2656 and
  7.  http://bugzilla.maptools.org/show_bug.cgi?id=2657
  8. 

  9. ---

  10.  ChangeLog      |  7 +++++++
  11.  tools/tiffcp.c | 24 ++++++++++++++++++++++--
  12.  2 files changed, 29 insertions(+), 2 deletions(-)
  13. 

  14. diff --git a/ChangeLog b/ChangeLog

  15. index f78cad0..064f25b 100644

  16. --- a/ChangeLog

  17. +++ b/ChangeLog

  18. @@ -1,3 +1,10 @@

  19. +2017-01-11 Even Rouault <even.rouault at spatialys.com>

  20. +

  21. +	* tools/tiffcp.c: error out cleanly in cpContig2SeparateByRow and

  22. +	cpSeparate2ContigByRow if BitsPerSample != 8 to avoid heap based overflow.

  23. +	Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2656 and

  24. +	http://bugzilla.maptools.org/show_bug.cgi?id=2657

  25. +

  26.  2016-12-20 Even Rouault <even.rouault at spatialys.com>
  27.  
  28.  	* tools/tiff2pdf.c: avoid potential heap-based overflow in
  29. diff --git a/tools/tiffcp.c b/tools/tiffcp.c

  30. index bdf754c..8bbcd52 100644

  31. --- a/tools/tiffcp.c

  32. +++ b/tools/tiffcp.c

  33. @@ -591,7 +591,7 @@ static	copyFunc pickCopyFunc(TIFF*, TIFF*, uint16, uint16);

  34.  static int
  35.  tiffcp(TIFF* in, TIFF* out)
  36.  {
  37. -	uint16 bitspersample, samplesperpixel = 1;

  38. +	uint16 bitspersample = 1, samplesperpixel = 1;

  39.  	uint16 input_compression, input_photometric = PHOTOMETRIC_MINISBLACK;
  40.  	copyFunc cf;
  41.  	uint32 width, length;
  42. @@ -1067,6 +1067,16 @@ DECLAREcpFunc(cpContig2SeparateByRow)

  43.  	register uint32 n;
  44.  	uint32 row;
  45.  	tsample_t s;
  46. +        uint16 bps = 0;

  47. +

  48. +        (void) TIFFGetField(in, TIFFTAG_BITSPERSAMPLE, &bps);

  49. +        if( bps != 8 )

  50. +        {

  51. +            TIFFError(TIFFFileName(in),

  52. +                      "Error, can only handle BitsPerSample=8 in %s",

  53. +                      "cpContig2SeparateByRow");

  54. +            return 0;

  55. +        }

  56.  
  57.  	inbuf = _TIFFmalloc(scanlinesizein);
  58.  	outbuf = _TIFFmalloc(scanlinesizeout);
  59. @@ -1120,6 +1130,16 @@ DECLAREcpFunc(cpSeparate2ContigByRow)

  60.  	register uint32 n;
  61.  	uint32 row;
  62.  	tsample_t s;
  63. +        uint16 bps = 0;

  64. +

  65. +        (void) TIFFGetField(in, TIFFTAG_BITSPERSAMPLE, &bps);

  66. +        if( bps != 8 )

  67. +        {

  68. +            TIFFError(TIFFFileName(in),

  69. +                      "Error, can only handle BitsPerSample=8 in %s",

  70. +                      "cpSeparate2ContigByRow");

  71. +            return 0;

  72. +        }

  73.  
  74.  	inbuf = _TIFFmalloc(scanlinesizein);
  75.  	outbuf = _TIFFmalloc(scanlinesizeout);
  76. @@ -1784,7 +1804,7 @@ pickCopyFunc(TIFF* in, TIFF* out, uint16 bitspersample, uint16 samplesperpixel)

  77.  	uint32 w, l, tw, tl;
  78.  	int bychunk;
  79.  
  80. -	(void) TIFFGetField(in, TIFFTAG_PLANARCONFIG, &shortv);

  81. +	(void) TIFFGetFieldDefaulted(in, TIFFTAG_PLANARCONFIG, &shortv);

  82.  	if (shortv != config && bitspersample != 8 && samplesperpixel > 1) {
  83.  		fprintf(stderr,
  84.  		    "%s: Cannot handle different planar configuration w/ bits/sample != 8\n",