1 files changed, 37 insertions, 0 deletions

diff --git a/graphics/tiff/patches/patch-bc b/graphics/tiff/patches/patch-bc
new file mode 100644
index 00000000000..64998563e4f
--- /dev/null
+++ b/graphics/tiff/patches/patch-bc
@@ -0,0 +1,37 @@
+$NetBSD: patch-bc,v 1.1 2006/08/02 15:42:25 salo Exp $
+
+Security fix for SA21304.
+
+--- libtiff/tif_read.c.orig	2005-12-21 13:33:56.000000000 +0100
++++ libtiff/tif_read.c	2006-08-02 17:18:41.000000000 +0200
+@@ -272,7 +272,13 @@ TIFFFillStrip(TIFF* tif, tstrip_t strip)
+ 		if ((tif->tif_flags & TIFF_MYBUFFER) && tif->tif_rawdata)
+ 			_TIFFfree(tif->tif_rawdata);
+ 		tif->tif_flags &= ~TIFF_MYBUFFER;
+-		if ( td->td_stripoffset[strip] + bytecount > tif->tif_size) {
++		/*
++		 * This sanity check could potentially overflow, causing an OOB read.
++		 * verify that offset + bytecount is > offset.
++		 * -- taviso@google.com 14 Jun 2006
++		 */
++		if ( td->td_stripoffset[strip] + bytecount > tif->tif_size ||
++			(td->td_stripoffset[strip] + bytecount) < td->td_stripoffset[strip]) {
+ 			/*
+ 			 * This error message might seem strange, but it's
+ 			 * what would happen if a read were done instead.
+@@ -470,7 +476,14 @@ TIFFFillTile(TIFF* tif, ttile_t tile)
+ 		if ((tif->tif_flags & TIFF_MYBUFFER) && tif->tif_rawdata)
+ 			_TIFFfree(tif->tif_rawdata);
+ 		tif->tif_flags &= ~TIFF_MYBUFFER;
+-		if ( td->td_stripoffset[tile] + bytecount > tif->tif_size) {
++		/*
++		 * We must check this calculation doesnt overflow, potentially
++		 * causing an OOB read.
++		 * -- taviso@google.com 15 Jun 2006
++		 */
++		if ( td->td_stripoffset[tile] + bytecount > tif->tif_size ||
++			(td->td_stripoffset[tile] + bytecount) < 
++				td->td_stripoffset[tile]) {
+ 			tif->tif_curtile = NOTILE;
+ 			return (0);
+ 		}