$NetBSD: patch-ba,v 1.1 2006/08/02 15:42:25 salo Exp $

Security fix for SA21304.

--- libtiff/tif_next.c.orig	2005-12-21 13:33:56.000000000 +0100
+++ libtiff/tif_next.c	2006-08-02 17:18:41.000000000 +0200
@@ -105,11 +105,16 @@ NeXTDecode(TIFF* tif, tidata_t buf, tsiz
 			 * as codes of the form <color><npixels>
 			 * until we've filled the scanline.
 			 */
+			/*
+			 * Ensure the run does not exceed the scanline
+			 * bounds, potentially resulting in a security issue.
+			 * -- taviso@google.com 14 Jun 2006.
+			 */
 			op = row;
 			for (;;) {
 				grey = (n>>6) & 0x3;
 				n &= 0x3f;
-				while (n-- > 0)
+				while (n-- > 0 && npixels < scanline)
 					SETPIXEL(op, grey);
 				if (npixels >= (int) imagewidth)
 					break;