openbsd-ports/graphics/tiff/patches/patch-libtiff_tif_pixarlog_c
naddy fab96bfad1 SECURITY fixes for CVE-2006-2656 and CVE-2006-3459 through 3465.
Man page fixes.

Mostly via FreeBSD.  Approving noises from bernd@ and jasper@
2008-10-25 09:39:29 +00:00

28 lines
1.0 KiB
Plaintext

$OpenBSD: patch-libtiff_tif_pixarlog_c,v 1.4 2008/10/25 09:39:29 naddy Exp $
CVE-2006-3461
--- libtiff/tif_pixarlog.c.orig Tue Mar 21 17:42:50 2006
+++ libtiff/tif_pixarlog.c Fri Oct 24 18:55:09 2008
@@ -768,7 +768,19 @@ PixarLogDecode(TIFF* tif, tidata_t op, tsize_t occ, ts
if (tif->tif_flags & TIFF_SWAB)
TIFFSwabArrayOfShort(up, nsamples);
- for (i = 0; i < nsamples; i += llen, up += llen) {
+ /*
+ * if llen is not an exact multiple of nsamples, the decode operation
+ * may overflow the output buffer, so truncate it enough to prevent that
+ * but still salvage as much data as possible.
+ * -- taviso@google.com 14th June 2006
+ */
+ if (nsamples % llen)
+ TIFFWarningExt(tif->tif_clientdata, module,
+ "%s: stride %lu is not a multiple of sample count, "
+ "%lu, data truncated.", tif->tif_name, llen, nsamples);
+
+
+ for (i = 0; i < nsamples - (nsamples % llen); i += llen, up += llen) {
switch (sp->user_datafmt) {
case PIXARLOGDATAFMT_FLOAT:
horizontalAccumulateF(up, llen, sp->stride,