54 lines
1.7 KiB
Diff
54 lines
1.7 KiB
Diff
Upstream patch for CVE-2011-1167, heap-based buffer overflow in thunder
|
|
decoder (ZDI-CAN-1004).
|
|
|
|
|
|
diff -Naur tiff-3.9.4.orig/libtiff/tif_thunder.c tiff-3.9.4/libtiff/tif_thunder.c
|
|
--- tiff-3.9.4.orig/libtiff/tif_thunder.c 2010-06-08 14:50:43.000000000 -0400
|
|
+++ tiff-3.9.4/libtiff/tif_thunder.c 2011-03-18 12:17:13.635796403 -0400
|
|
@@ -55,12 +55,32 @@
|
|
static const int twobitdeltas[4] = { 0, 1, 0, -1 };
|
|
static const int threebitdeltas[8] = { 0, 1, 2, 3, 0, -3, -2, -1 };
|
|
|
|
-#define SETPIXEL(op, v) { \
|
|
- lastpixel = (v) & 0xf; \
|
|
- if (npixels++ & 1) \
|
|
- *op++ |= lastpixel; \
|
|
- else \
|
|
+#define SETPIXEL(op, v) { \
|
|
+ lastpixel = (v) & 0xf; \
|
|
+ if ( npixels < maxpixels ) \
|
|
+ { \
|
|
+ if (npixels++ & 1) \
|
|
+ *op++ |= lastpixel; \
|
|
+ else \
|
|
op[0] = (tidataval_t) (lastpixel << 4); \
|
|
+ } \
|
|
+}
|
|
+
|
|
+static int
|
|
+ThunderSetupDecode(TIFF* tif)
|
|
+{
|
|
+ static const char module[] = "ThunderSetupDecode";
|
|
+
|
|
+ if( tif->tif_dir.td_bitspersample != 4 )
|
|
+ {
|
|
+ TIFFErrorExt(tif->tif_clientdata, module,
|
|
+ "Wrong bitspersample value (%d), Thunder decoder only supports 4bits per sample.",
|
|
+ (int) tif->tif_dir.td_bitspersample );
|
|
+ return 0;
|
|
+ }
|
|
+
|
|
+
|
|
+ return (1);
|
|
}
|
|
|
|
static int
|
|
@@ -151,6 +171,7 @@
|
|
(void) scheme;
|
|
tif->tif_decoderow = ThunderDecodeRow;
|
|
tif->tif_decodestrip = ThunderDecodeRow;
|
|
+ tif->tif_setupdecode = ThunderSetupDecode;
|
|
return (1);
|
|
}
|
|
#endif /* THUNDER_SUPPORT */
|