23 lines
847 B
Diff
23 lines
847 B
Diff
gif2tiff buffer overrun. Filed upstream at
|
|
http://bugzilla.maptools.org/show_bug.cgi?id=2270
|
|
|
|
This appears not to be security critical: it's a read not a write
|
|
overrun, so the worst possible consequence is SIGSEGV, and even that
|
|
doesn't seem to happen on any popular architectures.
|
|
|
|
|
|
diff -Naur tiff-3.9.4.orig/tools/gif2tiff.c tiff-3.9.4/tools/gif2tiff.c
|
|
--- tiff-3.9.4.orig/tools/gif2tiff.c 2010-06-08 14:50:44.000000000 -0400
|
|
+++ tiff-3.9.4/tools/gif2tiff.c 2010-11-02 22:32:10.018264489 -0400
|
|
@@ -503,6 +503,10 @@
|
|
strip = 0;
|
|
stripsize = TIFFStripSize(tif);
|
|
for (row=0; row<height; row += rowsperstrip) {
|
|
+ if (rowsperstrip > height-row) {
|
|
+ rowsperstrip = height-row;
|
|
+ stripsize = TIFFVStripSize(tif, rowsperstrip);
|
|
+ }
|
|
if (TIFFWriteEncodedStrip(tif, strip, newras+row*width, stripsize) < 0)
|
|
break;
|
|
strip++;
|