blob: a7959582c7ebc9ccf0545a1124178e4589f7e268 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
|
$NetBSD: patch-ba,v 1.1 2006/08/02 15:42:25 salo Exp $
Security fix for SA21304.
--- libtiff/tif_next.c.orig 2005-12-21 13:33:56.000000000 +0100
+++ libtiff/tif_next.c 2006-08-02 17:18:41.000000000 +0200
@@ -105,11 +105,16 @@ NeXTDecode(TIFF* tif, tidata_t buf, tsiz
* as codes of the form <color><npixels>
* until we've filled the scanline.
*/
+ /*
+ * Ensure the run does not exceed the scanline
+ * bounds, potentially resulting in a security issue.
+ * -- taviso@google.com 14 Jun 2006.
+ */
op = row;
for (;;) {
grey = (n>>6) & 0x3;
n &= 0x3f;
- while (n-- > 0)
+ while (n-- > 0 && npixels < scanline)
SETPIXEL(op, grey);
if (npixels >= (int) imagewidth)
break;
|
