rpms/libtiff
5
0
Fork 0
Code Issues Pull Requests Releases Activity
aaa467f8bb
libtiff/libtiff-CVE-2014-9655.patch
Petr Hracek 37199ad8a2 CVE-2014-9655 and CVE-2015-1547 #1190710 
Signed-off-by: Petr Hracek <phracek@redhat.com>
2015-05-19 14:47:53 +02:00

69 lines
2.0 KiB
Diff
Raw Blame History

diff --git a/libtiff/tif_getimage.c b/libtiff/tif_getimage.c
index a85273c..5e0cf92 100644
--- a/libtiff/tif_getimage.c
+++ b/libtiff/tif_getimage.c
@@ -1852,10 +1852,10 @@ DECLAREContigPutFunc(putcontig8bitYCbCr42tile)
(void) y;
fromskew = (fromskew * 10) / 4;
- if ((h & 3) == 0 && (w & 1) == 0) {
+ if ((w & 3) == 0 && (h & 1) == 0) {
for (; h >= 2; h -= 2) {
x = w>>2;
- do {
+ while(x>0) {
int32 Cb = pp[8];
int32 Cr = pp[9];
@@ -1870,7 +1870,8 @@ DECLAREContigPutFunc(putcontig8bitYCbCr42tile)
cp += 4, cp1 += 4;
pp += 10;
- } while (--x);
+ x--;
+ }
cp += incr, cp1 += incr;
pp += fromskew;
}
@@ -2031,7 +2032,7 @@ DECLAREContigPutFunc(putcontig8bitYCbCr21tile)
fromskew = (fromskew * 4) / 2;
do {
x = w>>1;
- do {
+ while(x>0) {
int32 Cb = pp[2];
int32 Cr = pp[3];
@@ -2040,7 +2041,8 @@ DECLAREContigPutFunc(putcontig8bitYCbCr21tile)
cp += 2;
pp += 4;
- } while (--x);
+ x--;
+ }
if( (w&1) != 0 )
{
diff --git a/libtiff/tif_next.c b/libtiff/tif_next.c
index 524e127..a6f4577 100644
--- a/libtiff/tif_next.c
+++ b/libtiff/tif_next.c
@@ -71,7 +71,7 @@ NeXTDecode(TIFF* tif, uint8* buf, tmsize_t occ, uint16 s)
TIFFErrorExt(tif->tif_clientdata, module, "Fractional scanlines cannot be read");
return (0);
}
- for (row = buf; occ > 0; occ -= scanline, row += scanline) {
+ for (row = buf; cc > 0 && occ > 0; occ -= scanline, row += scanline) {
n = *bp++, cc--;
switch (n) {
case LITERALROW:
@@ -90,6 +90,8 @@ NeXTDecode(TIFF* tif, uint8* buf, tmsize_t occ, uint16 s)
* The scanline has a literal span that begins at some
* offset.
*/
+ if( cc < 4 )
+ goto bad;
off = (bp[0] * 256) + bp[1];
n = (bp[2] * 256) + bp[3];
if (cc < 4+n || off+n > scanline)
Reference in New Issue View Git Blame Copy Permalink