diff options
Diffstat (limited to 'graphics/tiff/patches/patch-bc')
-rw-r--r-- | graphics/tiff/patches/patch-bc | 37 |
1 files changed, 37 insertions, 0 deletions
diff --git a/graphics/tiff/patches/patch-bc b/graphics/tiff/patches/patch-bc new file mode 100644 index 00000000000..64998563e4f --- /dev/null +++ b/graphics/tiff/patches/patch-bc @@ -0,0 +1,37 @@ +$NetBSD: patch-bc,v 1.1 2006/08/02 15:42:25 salo Exp $ + +Security fix for SA21304. + +--- libtiff/tif_read.c.orig 2005-12-21 13:33:56.000000000 +0100 ++++ libtiff/tif_read.c 2006-08-02 17:18:41.000000000 +0200 +@@ -272,7 +272,13 @@ TIFFFillStrip(TIFF* tif, tstrip_t strip) + if ((tif->tif_flags & TIFF_MYBUFFER) && tif->tif_rawdata) + _TIFFfree(tif->tif_rawdata); + tif->tif_flags &= ~TIFF_MYBUFFER; +- if ( td->td_stripoffset[strip] + bytecount > tif->tif_size) { ++ /* ++ * This sanity check could potentially overflow, causing an OOB read. ++ * verify that offset + bytecount is > offset. ++ * -- taviso@google.com 14 Jun 2006 ++ */ ++ if ( td->td_stripoffset[strip] + bytecount > tif->tif_size || ++ (td->td_stripoffset[strip] + bytecount) < td->td_stripoffset[strip]) { + /* + * This error message might seem strange, but it's + * what would happen if a read were done instead. +@@ -470,7 +476,14 @@ TIFFFillTile(TIFF* tif, ttile_t tile) + if ((tif->tif_flags & TIFF_MYBUFFER) && tif->tif_rawdata) + _TIFFfree(tif->tif_rawdata); + tif->tif_flags &= ~TIFF_MYBUFFER; +- if ( td->td_stripoffset[tile] + bytecount > tif->tif_size) { ++ /* ++ * We must check this calculation doesnt overflow, potentially ++ * causing an OOB read. ++ * -- taviso@google.com 15 Jun 2006 ++ */ ++ if ( td->td_stripoffset[tile] + bytecount > tif->tif_size || ++ (td->td_stripoffset[tile] + bytecount) < ++ td->td_stripoffset[tile]) { + tif->tif_curtile = NOTILE; + return (0); + } |