diff options
Diffstat (limited to 'source/l/libtiff/libtiff-CVE-2011-1167.patch')
| -rw-r--r-- | source/l/libtiff/libtiff-CVE-2011-1167.patch | 53 |
1 files changed, 53 insertions, 0 deletions
diff --git a/source/l/libtiff/libtiff-CVE-2011-1167.patch b/source/l/libtiff/libtiff-CVE-2011-1167.patch new file mode 100644 index 00000000..d3fcf6f6 --- /dev/null +++ b/source/l/libtiff/libtiff-CVE-2011-1167.patch @@ -0,0 +1,53 @@ +Upstream patch for CVE-2011-1167, heap-based buffer overflow in thunder +decoder (ZDI-CAN-1004). + + +diff -Naur tiff-3.9.4.orig/libtiff/tif_thunder.c tiff-3.9.4/libtiff/tif_thunder.c +--- tiff-3.9.4.orig/libtiff/tif_thunder.c 2010-06-08 14:50:43.000000000 -0400 ++++ tiff-3.9.4/libtiff/tif_thunder.c 2011-03-18 12:17:13.635796403 -0400 +@@ -55,12 +55,32 @@ + static const int twobitdeltas[4] = { 0, 1, 0, -1 }; + static const int threebitdeltas[8] = { 0, 1, 2, 3, 0, -3, -2, -1 }; + +-#define SETPIXEL(op, v) { \ +- lastpixel = (v) & 0xf; \ +- if (npixels++ & 1) \ +- *op++ |= lastpixel; \ +- else \ ++#define SETPIXEL(op, v) { \ ++ lastpixel = (v) & 0xf; \ ++ if ( npixels < maxpixels ) \ ++ { \ ++ if (npixels++ & 1) \ ++ *op++ |= lastpixel; \ ++ else \ + op[0] = (tidataval_t) (lastpixel << 4); \ ++ } \ ++} ++ ++static int ++ThunderSetupDecode(TIFF* tif) ++{ ++ static const char module[] = "ThunderSetupDecode"; ++ ++ if( tif->tif_dir.td_bitspersample != 4 ) ++ { ++ TIFFErrorExt(tif->tif_clientdata, module, ++ "Wrong bitspersample value (%d), Thunder decoder only supports 4bits per sample.", ++ (int) tif->tif_dir.td_bitspersample ); ++ return 0; ++ } ++ ++ ++ return (1); + } + + static int +@@ -151,6 +171,7 @@ + (void) scheme; + tif->tif_decoderow = ThunderDecodeRow; + tif->tif_decodestrip = ThunderDecodeRow; ++ tif->tif_setupdecode = ThunderSetupDecode; + return (1); + } + #endif /* THUNDER_SUPPORT */ |