diff options
Diffstat (limited to 'graphics/tiff/patches/patch-ba')
| -rw-r--r-- | graphics/tiff/patches/patch-ba | 24 |
1 files changed, 24 insertions, 0 deletions
diff --git a/graphics/tiff/patches/patch-ba b/graphics/tiff/patches/patch-ba new file mode 100644 index 00000000000..a7959582c7e --- /dev/null +++ b/graphics/tiff/patches/patch-ba @@ -0,0 +1,24 @@ +$NetBSD: patch-ba,v 1.1 2006/08/02 15:42:25 salo Exp $ + +Security fix for SA21304. + +--- libtiff/tif_next.c.orig 2005-12-21 13:33:56.000000000 +0100 ++++ libtiff/tif_next.c 2006-08-02 17:18:41.000000000 +0200 +@@ -105,11 +105,16 @@ NeXTDecode(TIFF* tif, tidata_t buf, tsiz + * as codes of the form <color><npixels> + * until we've filled the scanline. + */ ++ /* ++ * Ensure the run does not exceed the scanline ++ * bounds, potentially resulting in a security issue. ++ * -- taviso@google.com 14 Jun 2006. ++ */ + op = row; + for (;;) { + grey = (n>>6) & 0x3; + n &= 0x3f; +- while (n-- > 0) ++ while (n-- > 0 && npixels < scanline) + SETPIXEL(op, grey); + if (npixels >= (int) imagewidth) + break; |