summaryrefslogtreecommitdiffstats
path: root/main/tiff/tiff-3.8.2-CVE-2008-2327.patch
diff options
context:
space:
mode:
Diffstat (limited to 'main/tiff/tiff-3.8.2-CVE-2008-2327.patch')
-rw-r--r--main/tiff/tiff-3.8.2-CVE-2008-2327.patch64
1 files changed, 64 insertions, 0 deletions
diff --git a/main/tiff/tiff-3.8.2-CVE-2008-2327.patch b/main/tiff/tiff-3.8.2-CVE-2008-2327.patch
new file mode 100644
index 000000000..e6d74a67a
--- /dev/null
+++ b/main/tiff/tiff-3.8.2-CVE-2008-2327.patch
@@ -0,0 +1,64 @@
+Fixes security issues in libTIFF's handling of LZW-encoded
+images. The use of uninitialized data could lead to a buffer
+underflow and a crash or arbitrary code execution.
+
+CVE-ID: CVE-2008-2327
+Security bug: https://bugs.gentoo.org/show_bug.cgi?id=234080
+
+Index: tiff-3.8.2/libtiff/tif_lzw.c
+===================================================================
+--- tiff-3.8.2.orig/libtiff/tif_lzw.c
++++ tiff-3.8.2/libtiff/tif_lzw.c
+@@ -237,6 +237,12 @@ LZWSetupDecode(TIFF* tif)
+ sp->dec_codetab[code].length = 1;
+ sp->dec_codetab[code].next = NULL;
+ } while (code--);
++ /*
++ * Zero-out the unused entries
++ */
++ _TIFFmemset(&sp->dec_codetab[CODE_CLEAR], 0,
++ (CODE_FIRST-CODE_CLEAR)*sizeof (code_t));
++
+ }
+ return (1);
+ }
+@@ -408,12 +414,19 @@ LZWDecode(TIFF* tif, tidata_t op0, tsize
+ break;
+ if (code == CODE_CLEAR) {
+ free_entp = sp->dec_codetab + CODE_FIRST;
++ _TIFFmemset(free_entp, 0, (CSIZE-CODE_FIRST)*sizeof (code_t));
+ nbits = BITS_MIN;
+ nbitsmask = MAXCODE(BITS_MIN);
+ maxcodep = sp->dec_codetab + nbitsmask-1;
+ NextCode(tif, sp, bp, code, GetNextCode);
+ if (code == CODE_EOI)
+ break;
++ if (code == CODE_CLEAR) {
++ TIFFErrorExt(tif->tif_clientdata, tif->tif_name,
++ "LZWDecode: Corrupted LZW table at scanline %d",
++ tif->tif_row);
++ return (0);
++ }
+ *op++ = (char)code, occ--;
+ oldcodep = sp->dec_codetab + code;
+ continue;
+@@ -604,12 +617,19 @@ LZWDecodeCompat(TIFF* tif, tidata_t op0,
+ break;
+ if (code == CODE_CLEAR) {
+ free_entp = sp->dec_codetab + CODE_FIRST;
++ _TIFFmemset(free_entp, 0, (CSIZE-CODE_FIRST)*sizeof (code_t));
+ nbits = BITS_MIN;
+ nbitsmask = MAXCODE(BITS_MIN);
+ maxcodep = sp->dec_codetab + nbitsmask;
+ NextCode(tif, sp, bp, code, GetNextCodeCompat);
+ if (code == CODE_EOI)
+ break;
++ if (code == CODE_CLEAR) {
++ TIFFErrorExt(tif->tif_clientdata, tif->tif_name,
++ "LZWDecode: Corrupted LZW table at scanline %d",
++ tif->tif_row);
++ return (0);
++ }
+ *op++ = code, occ--;
+ oldcodep = sp->dec_codetab + code;
+ continue;