archlinuxarm/PKGBUILDs
1
0
Fork 0
mirror of https://github.com/archlinuxarm/PKGBUILDs.git synced 2024-11-08 22:45:43 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions
PKGBUILDs/extra/libtiff/tiff-3.8.2-CVE-2008-2327.patch
Mike Staszel 72258e9d49 Adding PKGBUILDs
2009-09-26 09:35:50 -05:00

64 lines
2.1 KiB
Diff
Raw Blame History

Fixes security issues in libTIFF's handling of LZW-encoded
images. The use of uninitialized data could lead to a buffer
underflow and a crash or arbitrary code execution.
CVE-ID: CVE-2008-2327
Security bug: https://bugs.gentoo.org/show_bug.cgi?id=234080
Index: tiff-3.8.2/libtiff/tif_lzw.c
===================================================================
--- tiff-3.8.2.orig/libtiff/tif_lzw.c
+++ tiff-3.8.2/libtiff/tif_lzw.c
@@ -237,6 +237,12 @@ LZWSetupDecode(TIFF* tif)
sp->dec_codetab[code].length = 1;
sp->dec_codetab[code].next = NULL;
} while (code--);
+ /*
+ * Zero-out the unused entries
+ */
+ _TIFFmemset(&sp->dec_codetab[CODE_CLEAR], 0,
+ (CODE_FIRST-CODE_CLEAR)*sizeof (code_t));
+
}
return (1);
}
@@ -408,12 +414,19 @@ LZWDecode(TIFF* tif, tidata_t op0, tsize
break;
if (code == CODE_CLEAR) {
free_entp = sp->dec_codetab + CODE_FIRST;
+ _TIFFmemset(free_entp, 0, (CSIZE-CODE_FIRST)*sizeof (code_t));
nbits = BITS_MIN;
nbitsmask = MAXCODE(BITS_MIN);
maxcodep = sp->dec_codetab + nbitsmask-1;
NextCode(tif, sp, bp, code, GetNextCode);
if (code == CODE_EOI)
break;
+ if (code == CODE_CLEAR) {
+ TIFFErrorExt(tif->tif_clientdata, tif->tif_name,
+ "LZWDecode: Corrupted LZW table at scanline %d",
+ tif->tif_row);
+ return (0);
+ }
*op++ = (char)code, occ--;
oldcodep = sp->dec_codetab + code;
continue;
@@ -604,12 +617,19 @@ LZWDecodeCompat(TIFF* tif, tidata_t op0,
break;
if (code == CODE_CLEAR) {
free_entp = sp->dec_codetab + CODE_FIRST;
+ _TIFFmemset(free_entp, 0, (CSIZE-CODE_FIRST)*sizeof (code_t));
nbits = BITS_MIN;
nbitsmask = MAXCODE(BITS_MIN);
maxcodep = sp->dec_codetab + nbitsmask;
NextCode(tif, sp, bp, code, GetNextCodeCompat);
if (code == CODE_EOI)
break;
+ if (code == CODE_CLEAR) {
+ TIFFErrorExt(tif->tif_clientdata, tif->tif_name,
+ "LZWDecode: Corrupted LZW table at scanline %d",
+ tif->tif_row);
+ return (0);
+ }
*op++ = code, occ--;
oldcodep = sp->dec_codetab + code;
continue;
Reference in a new issue View git blame Copy permalink