diff options
Diffstat (limited to 'graphics/tiff/patches/patch-bb')
-rw-r--r-- | graphics/tiff/patches/patch-bb | 27 |
1 files changed, 27 insertions, 0 deletions
diff --git a/graphics/tiff/patches/patch-bb b/graphics/tiff/patches/patch-bb new file mode 100644 index 00000000000..51e920f1f78 --- /dev/null +++ b/graphics/tiff/patches/patch-bb @@ -0,0 +1,27 @@ +$NetBSD: patch-bb,v 1.1 2006/08/02 15:42:25 salo Exp $ + +Security fix for SA21304. + +--- libtiff/tif_pixarlog.c.orig 2006-03-21 17:42:50.000000000 +0100 ++++ libtiff/tif_pixarlog.c 2006-08-02 17:18:41.000000000 +0200 +@@ -768,7 +768,19 @@ PixarLogDecode(TIFF* tif, tidata_t op, t + if (tif->tif_flags & TIFF_SWAB) + TIFFSwabArrayOfShort(up, nsamples); + +- for (i = 0; i < nsamples; i += llen, up += llen) { ++ /* ++ * if llen is not an exact multiple of nsamples, the decode operation ++ * may overflow the output buffer, so truncate it enough to prevent that ++ * but still salvage as much data as possible. ++ * -- taviso@google.com 14th June 2006 ++ */ ++ if (nsamples % llen) ++ TIFFWarningExt(tif->tif_clientdata, module, ++ "%s: stride %lu is not a multiple of sample count, " ++ "%lu, data truncated.", tif->tif_name, llen, nsamples); ++ ++ ++ for (i = 0; i < nsamples - (nsamples % llen); i += llen, up += llen) { + switch (sp->user_datafmt) { + case PIXARLOGDATAFMT_FLOAT: + horizontalAccumulateF(up, llen, sp->stride, |