LILiK
/
openwrt-packages-dist
5
0
Fork 0
Code Issues 0 Pull Requests 0 Projects 0 Releases 0 Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
7714 Commits
1 Branch
46 MiB
Tree: dbebe09e18
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from 'dbebe09e18'
${ noResults }
openwrt-packages-dist/libs/tiff/patches/121-CVE-2017-7602.patch

67 lines
2.3 KiB
Raw Normal View History

tiff: update to version 4.0.7 with CVE fixes Signed-off-by: Jiri Slachta <jiri@slachta.eu>
8 years ago
 
  1. From 66e7bd59520996740e4df5495a830b42fae48bc4 Mon Sep 17 00:00:00 2001
  2. From: erouault <erouault>
  3. Date: Wed, 11 Jan 2017 16:33:34 +0000
  4. Subject: [PATCH] * libtiff/tif_read.c: avoid potential undefined behaviour on
  5.  signed integer addition in TIFFReadRawStrip1() in isMapped() case. Fixes
  6.  http://bugzilla.maptools.org/show_bug.cgi?id=2650
  7. 

  8. ---

  9.  ChangeLog          |  6 ++++++
  10.  libtiff/tif_read.c | 27 ++++++++++++++++++---------
  11.  2 files changed, 24 insertions(+), 9 deletions(-)
  12. 

  13. diff --git a/ChangeLog b/ChangeLog

  14. index 8e202a2..3e31464 100644

  15. --- a/ChangeLog

  16. +++ b/ChangeLog

  17. @@ -1,5 +1,11 @@

  18.  2017-01-11 Even Rouault <even.rouault at spatialys.com>
  19.  
  20. +	* libtiff/tif_read.c: avoid potential undefined behaviour on signed integer

  21. +	addition in TIFFReadRawStrip1() in isMapped() case.

  22. +	Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2650

  23. +

  24. +2017-01-11 Even Rouault <even.rouault at spatialys.com>

  25. +

  26.  	* libtiff/tif_jpeg.c: validate BitsPerSample in JPEGSetupEncode() to avoid
  27.  	undefined behaviour caused by invalid shift exponent.
  28.  	Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2648
  29. diff --git a/libtiff/tif_read.c b/libtiff/tif_read.c

  30. index 52bbf50..b7aacbd 100644

  31. --- a/libtiff/tif_read.c

  32. +++ b/libtiff/tif_read.c

  33. @@ -420,16 +420,25 @@ TIFFReadRawStrip1(TIFF* tif, uint32 strip, void* buf, tmsize_t size,

  34.  			return ((tmsize_t)(-1));
  35.  		}
  36.  	} else {
  37. -		tmsize_t ma,mb;

  38. +		tmsize_t ma;

  39.  		tmsize_t n;
  40. -		ma=(tmsize_t)td->td_stripoffset[strip];

  41. -		mb=ma+size;

  42. -		if ((td->td_stripoffset[strip] > (uint64)TIFF_TMSIZE_T_MAX)||(ma>tif->tif_size))

  43. -			n=0;

  44. -		else if ((mb<ma)||(mb<size)||(mb>tif->tif_size))

  45. -			n=tif->tif_size-ma;

  46. -		else

  47. -			n=size;

  48. +		if ((td->td_stripoffset[strip] > (uint64)TIFF_TMSIZE_T_MAX)||

  49. +                    ((ma=(tmsize_t)td->td_stripoffset[strip])>tif->tif_size))

  50. +                {

  51. +                    n=0;

  52. +                }

  53. +                else if( ma > TIFF_TMSIZE_T_MAX - size )

  54. +                {

  55. +                    n=0;

  56. +                }

  57. +                else

  58. +                {

  59. +                    tmsize_t mb=ma+size;

  60. +                    if (mb>tif->tif_size)

  61. +                            n=tif->tif_size-ma;

  62. +                    else

  63. +                            n=size;

  64. +                }

  65.  		if (n!=size) {
  66.  #if defined(__WIN32__) && (defined(_MSC_VER) || defined(__MINGW32__))
  67.  			TIFFErrorExt(tif->tif_clientdata, module,