diff options
Diffstat (limited to 'graphics/tiff/patches/patch-tools_tiffcp.c')
-rw-r--r-- | graphics/tiff/patches/patch-tools_tiffcp.c | 17 |
1 files changed, 16 insertions, 1 deletions
diff --git a/graphics/tiff/patches/patch-tools_tiffcp.c b/graphics/tiff/patches/patch-tools_tiffcp.c index b0ad6d718ab..8dc4bbdf258 100644 --- a/graphics/tiff/patches/patch-tools_tiffcp.c +++ b/graphics/tiff/patches/patch-tools_tiffcp.c @@ -1,4 +1,4 @@ -$NetBSD: patch-tools_tiffcp.c,v 1.2.2.3 2017/05/06 15:08:52 bsiegert Exp $ +$NetBSD: patch-tools_tiffcp.c,v 1.2.2.4 2017/05/11 17:47:20 bsiegert Exp $ CVE-2017-5225 http://bugzilla.maptools.org/show_bug.cgi?id=2656 @@ -11,6 +11,12 @@ CVE-2016-10093 http://bugzilla.maptools.org/show_bug.cgi?id=2610 https://github.com/vadz/libtiff/commit/787c0ee906430b772f33ca50b97b8b5ca070faec +and + +CVE-2016-10268 +http://bugzilla.maptools.org/show_bug.cgi?id=2598 +https://github.com/vadz/libtiff/commit/5397a417e61258c69209904e652a1f409ec3b9df + --- tools/tiffcp.c.orig 2016-10-12 01:45:17.000000000 +0000 +++ tools/tiffcp.c @@ -592,7 +592,7 @@ static copyFunc pickCopyFunc(TIFF*, TIFF @@ -22,6 +28,15 @@ https://github.com/vadz/libtiff/commit/787c0ee906430b772f33ca50b97b8b5ca070faec uint16 input_compression, input_photometric = PHOTOMETRIC_MINISBLACK; copyFunc cf; uint32 width, length; +@@ -985,7 +985,7 @@ DECLAREcpFunc(cpDecodedStrips) + tstrip_t s, ns = TIFFNumberOfStrips(in); + uint32 row = 0; + _TIFFmemset(buf, 0, stripsize); +- for (s = 0; s < ns; s++) { ++ for (s = 0; s < ns && row < imagelength; s++) { + tsize_t cc = (row + rowsperstrip > imagelength) ? + TIFFVStripSize(in, imagelength - row) : stripsize; + if (TIFFReadEncodedStrip(in, s, buf, cc) < 0 @@ -1068,6 +1068,16 @@ DECLAREcpFunc(cpContig2SeparateByRow) register uint32 n; uint32 row; |