summaryrefslogtreecommitdiff
path: root/graphics/tiff/patches/patch-bb
diff options
context:
space:
mode:
Diffstat (limited to 'graphics/tiff/patches/patch-bb')
-rw-r--r--graphics/tiff/patches/patch-bb27
1 files changed, 27 insertions, 0 deletions
diff --git a/graphics/tiff/patches/patch-bb b/graphics/tiff/patches/patch-bb
new file mode 100644
index 00000000000..51e920f1f78
--- /dev/null
+++ b/graphics/tiff/patches/patch-bb
@@ -0,0 +1,27 @@
+$NetBSD: patch-bb,v 1.1 2006/08/02 15:42:25 salo Exp $
+
+Security fix for SA21304.
+
+--- libtiff/tif_pixarlog.c.orig 2006-03-21 17:42:50.000000000 +0100
++++ libtiff/tif_pixarlog.c 2006-08-02 17:18:41.000000000 +0200
+@@ -768,7 +768,19 @@ PixarLogDecode(TIFF* tif, tidata_t op, t
+ if (tif->tif_flags & TIFF_SWAB)
+ TIFFSwabArrayOfShort(up, nsamples);
+
+- for (i = 0; i < nsamples; i += llen, up += llen) {
++ /*
++ * if llen is not an exact multiple of nsamples, the decode operation
++ * may overflow the output buffer, so truncate it enough to prevent that
++ * but still salvage as much data as possible.
++ * -- taviso@google.com 14th June 2006
++ */
++ if (nsamples % llen)
++ TIFFWarningExt(tif->tif_clientdata, module,
++ "%s: stride %lu is not a multiple of sample count, "
++ "%lu, data truncated.", tif->tif_name, llen, nsamples);
++
++
++ for (i = 0; i < nsamples - (nsamples % llen); i += llen, up += llen) {
+ switch (sp->user_datafmt) {
+ case PIXARLOGDATAFMT_FLOAT:
+ horizontalAccumulateF(up, llen, sp->stride,
generated by cgit v1.2.3 (git 2.39.1) at 2024-08-13 13:17:57 +0000