summaryrefslogtreecommitdiff
path: root/graphics/tiff/patches/patch-SA43593
blob: 870a0d5919ed8090d1e416f0c483d13e57d7d563 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
$NetBSD: patch-SA43593,v 1.1 2011/03/12 16:10:43 tron Exp $

Fix heap-based buffer overflow which causes the vulnerability reported
in SA43593. Patch taken from the "libtiff" CVS repository.

--- libtiff/tif_fax3.h	8 Jun 2010 18:50:42 -0000	1.5.2.1
+++ libtiff/tif_fax3.h	10 Mar 2011 20:22:33 -0000	1.5.2.3
@@ -478,6 +478,12 @@
 	    break;							\
 	case S_VL:							\
 	    CHECK_b1;							\
+	    if (b1 <= (int) (a0 + TabEnt->Param)) {			\
+		if (b1 < (int) (a0 + TabEnt->Param) || pa != thisrun) {	\
+		    unexpected("VL", a0);				\
+		    goto eol2d;						\
+		}							\
+	    }								\
 	    SETVALUE(b1 - a0 - TabEnt->Param);				\
 	    b1 -= *--pb;						\
 	    break;							\