Add fix for vulnerability reported in SA43593 taken from the

"libtiff" CVS repository.
author: tron <tron> 2011-03-12 16:10:42 +0000
committer: tron <tron> 2011-03-12 16:10:42 +0000
commit: 2431981917277b931db549e67d46529b463acd02 (patch)
tree: f292a44e1f74272198892ae081427903c6ce9b38 /graphics/tiff/patches
parent: 7aa6151ca380fab6deae2100bd331cc5e7b0a806 (diff)
download: pkgsrc-2431981917277b931db549e67d46529b463acd02.tar.gz
1 files changed, 20 insertions, 0 deletions
diff --git a/graphics/tiff/patches/patch-SA43593 b/graphics/tiff/patches/patch-SA43593
new file mode 100644
index 00000000000..870a0d5919e
--- /dev/null
+++ b/graphics/tiff/patches/patch-SA43593
@@ -0,0 +1,20 @@
+$NetBSD: patch-SA43593,v 1.1 2011/03/12 16:10:43 tron Exp $
+
+Fix heap-based buffer overflow which causes the vulnerability reported
+in SA43593. Patch taken from the "libtiff" CVS repository.
+
+--- libtiff/tif_fax3.h	8 Jun 2010 18:50:42 -0000	1.5.2.1
++++ libtiff/tif_fax3.h	10 Mar 2011 20:22:33 -0000	1.5.2.3
+@@ -478,6 +478,12 @@
+ 	    break;							\
+ 	case S_VL:							\
+ 	    CHECK_b1;							\
++	    if (b1 <= (int) (a0 + TabEnt->Param)) {			\
++		if (b1 < (int) (a0 + TabEnt->Param) || pa != thisrun) {	\
++		    unexpected("VL", a0);				\
++		    goto eol2d;						\
++		}							\
++	    }								\
+ 	    SETVALUE(b1 - a0 - TabEnt->Param);				\
+ 	    b1 -= *--pb;						\
+ 	    break;							\
author	tron <tron>	2011-03-12 16:10:42 +0000
committer	tron <tron>	2011-03-12 16:10:42 +0000
commit	2431981917277b931db549e67d46529b463acd02 (patch)
tree	f292a44e1f74272198892ae081427903c6ce9b38 /graphics/tiff/patches
parent	7aa6151ca380fab6deae2100bd331cc5e7b0a806 (diff)
download	pkgsrc-2431981917277b931db549e67d46529b463acd02.tar.gz