blob: 64998563e4f5926445bee644497529eba97ed65b (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
|
$NetBSD: patch-bc,v 1.1 2006/08/02 15:42:25 salo Exp $
Security fix for SA21304.
--- libtiff/tif_read.c.orig 2005-12-21 13:33:56.000000000 +0100
+++ libtiff/tif_read.c 2006-08-02 17:18:41.000000000 +0200
@@ -272,7 +272,13 @@ TIFFFillStrip(TIFF* tif, tstrip_t strip)
if ((tif->tif_flags & TIFF_MYBUFFER) && tif->tif_rawdata)
_TIFFfree(tif->tif_rawdata);
tif->tif_flags &= ~TIFF_MYBUFFER;
- if ( td->td_stripoffset[strip] + bytecount > tif->tif_size) {
+ /*
+ * This sanity check could potentially overflow, causing an OOB read.
+ * verify that offset + bytecount is > offset.
+ * -- taviso@google.com 14 Jun 2006
+ */
+ if ( td->td_stripoffset[strip] + bytecount > tif->tif_size ||
+ (td->td_stripoffset[strip] + bytecount) < td->td_stripoffset[strip]) {
/*
* This error message might seem strange, but it's
* what would happen if a read were done instead.
@@ -470,7 +476,14 @@ TIFFFillTile(TIFF* tif, ttile_t tile)
if ((tif->tif_flags & TIFF_MYBUFFER) && tif->tif_rawdata)
_TIFFfree(tif->tif_rawdata);
tif->tif_flags &= ~TIFF_MYBUFFER;
- if ( td->td_stripoffset[tile] + bytecount > tif->tif_size) {
+ /*
+ * We must check this calculation doesnt overflow, potentially
+ * causing an OOB read.
+ * -- taviso@google.com 15 Jun 2006
+ */
+ if ( td->td_stripoffset[tile] + bytecount > tif->tif_size ||
+ (td->td_stripoffset[tile] + bytecount) <
+ td->td_stripoffset[tile]) {
tif->tif_curtile = NOTILE;
return (0);
}
|
