diff options
| author | Natanael Copa <ncopa@alpinelinux.org> | 2009-08-20 13:30:59 +0000 |
|---|---|---|
| committer | Natanael Copa <ncopa@alpinelinux.org> | 2009-08-20 13:30:59 +0000 |
| commit | bb3724aa4701bc30a93b8323a71ac578789cb784 (patch) | |
| tree | 74be00b9d5f036b1e03497bfd8ebba6f2b210fa9 /main/tiff/tiff-3.8.2-CVE-2008-2327.patch | |
| parent | f0404cc32bc2fee17dcc6c0badd7d42a9ba253ea (diff) | |
| download | aports-bb3724aa4701bc30a93b8323a71ac578789cb784.tar.bz2 aports-bb3724aa4701bc30a93b8323a71ac578789cb784.tar.xz | |
main/tiff: security patches
Diffstat (limited to 'main/tiff/tiff-3.8.2-CVE-2008-2327.patch')
| -rw-r--r-- | main/tiff/tiff-3.8.2-CVE-2008-2327.patch | 64 |
1 files changed, 64 insertions, 0 deletions
diff --git a/main/tiff/tiff-3.8.2-CVE-2008-2327.patch b/main/tiff/tiff-3.8.2-CVE-2008-2327.patch new file mode 100644 index 000000000..e6d74a67a --- /dev/null +++ b/main/tiff/tiff-3.8.2-CVE-2008-2327.patch @@ -0,0 +1,64 @@ +Fixes security issues in libTIFF's handling of LZW-encoded +images. The use of uninitialized data could lead to a buffer +underflow and a crash or arbitrary code execution. + +CVE-ID: CVE-2008-2327 +Security bug: https://bugs.gentoo.org/show_bug.cgi?id=234080 + +Index: tiff-3.8.2/libtiff/tif_lzw.c +=================================================================== +--- tiff-3.8.2.orig/libtiff/tif_lzw.c ++++ tiff-3.8.2/libtiff/tif_lzw.c +@@ -237,6 +237,12 @@ LZWSetupDecode(TIFF* tif) + sp->dec_codetab[code].length = 1; + sp->dec_codetab[code].next = NULL; + } while (code--); ++ /* ++ * Zero-out the unused entries ++ */ ++ _TIFFmemset(&sp->dec_codetab[CODE_CLEAR], 0, ++ (CODE_FIRST-CODE_CLEAR)*sizeof (code_t)); ++ + } + return (1); + } +@@ -408,12 +414,19 @@ LZWDecode(TIFF* tif, tidata_t op0, tsize + break; + if (code == CODE_CLEAR) { + free_entp = sp->dec_codetab + CODE_FIRST; ++ _TIFFmemset(free_entp, 0, (CSIZE-CODE_FIRST)*sizeof (code_t)); + nbits = BITS_MIN; + nbitsmask = MAXCODE(BITS_MIN); + maxcodep = sp->dec_codetab + nbitsmask-1; + NextCode(tif, sp, bp, code, GetNextCode); + if (code == CODE_EOI) + break; ++ if (code == CODE_CLEAR) { ++ TIFFErrorExt(tif->tif_clientdata, tif->tif_name, ++ "LZWDecode: Corrupted LZW table at scanline %d", ++ tif->tif_row); ++ return (0); ++ } + *op++ = (char)code, occ--; + oldcodep = sp->dec_codetab + code; + continue; +@@ -604,12 +617,19 @@ LZWDecodeCompat(TIFF* tif, tidata_t op0, + break; + if (code == CODE_CLEAR) { + free_entp = sp->dec_codetab + CODE_FIRST; ++ _TIFFmemset(free_entp, 0, (CSIZE-CODE_FIRST)*sizeof (code_t)); + nbits = BITS_MIN; + nbitsmask = MAXCODE(BITS_MIN); + maxcodep = sp->dec_codetab + nbitsmask; + NextCode(tif, sp, bp, code, GetNextCodeCompat); + if (code == CODE_EOI) + break; ++ if (code == CODE_CLEAR) { ++ TIFFErrorExt(tif->tif_clientdata, tif->tif_name, ++ "LZWDecode: Corrupted LZW table at scanline %d", ++ tif->tif_row); ++ return (0); ++ } + *op++ = code, occ--; + oldcodep = sp->dec_codetab + code; + continue; |