72d0a18369
LibTIFF "LZWDecodeCompat()" Buffer Underflow Vulnerability Patch from upstream bugreport #2065 (committed to CVS).
86 lines
2.7 KiB
Plaintext
86 lines
2.7 KiB
Plaintext
$OpenBSD: patch-libtiff_tif_lzw_c,v 1.2 2009/06/23 07:49:31 jasper Exp $
|
|
|
|
First three chunks:
|
|
Security fix for SA31610
|
|
http://secunia.com/advisories/31610
|
|
LibTIFF LZW Decoder Buffer Underflow Vulnerability
|
|
Patch extracted from Debian's tiff_3.8.2-7+etch1
|
|
|
|
Last two chunks:
|
|
Security fix for SA35515
|
|
http://secunia.com/advisories/35515/
|
|
LibTIFF "LZWDecodeCompat()" Buffer Underflow Vulnerability
|
|
Patch from upstream bugreport #2065 (committed to CVS).
|
|
|
|
--- libtiff/tif_lzw.c.orig Tue Mar 21 17:42:50 2006
|
|
+++ libtiff/tif_lzw.c Mon Jun 22 23:58:21 2009
|
|
@@ -237,6 +237,11 @@ LZWSetupDecode(TIFF* tif)
|
|
sp->dec_codetab[code].length = 1;
|
|
sp->dec_codetab[code].next = NULL;
|
|
} while (code--);
|
|
+ /*
|
|
+ * Zero-out the unused entries
|
|
+ */
|
|
+ _TIFFmemset(&sp->dec_codetab[CODE_CLEAR], 0,
|
|
+ (CODE_FIRST-CODE_CLEAR)*sizeof (code_t));
|
|
}
|
|
return (1);
|
|
}
|
|
@@ -408,12 +413,19 @@ LZWDecode(TIFF* tif, tidata_t op0, tsize_t occ0, tsamp
|
|
break;
|
|
if (code == CODE_CLEAR) {
|
|
free_entp = sp->dec_codetab + CODE_FIRST;
|
|
+ _TIFFmemset(free_entp, 0, (CSIZE-CODE_FIRST)*sizeof (code_t));
|
|
nbits = BITS_MIN;
|
|
nbitsmask = MAXCODE(BITS_MIN);
|
|
maxcodep = sp->dec_codetab + nbitsmask-1;
|
|
NextCode(tif, sp, bp, code, GetNextCode);
|
|
if (code == CODE_EOI)
|
|
break;
|
|
+ if (code == CODE_CLEAR) {
|
|
+ TIFFErrorExt(tif->tif_clientdata, tif->tif_name,
|
|
+ "LZWDecode: Corrupted LZW table at scanline %d",
|
|
+ tif->tif_row);
|
|
+ return (0);
|
|
+ }
|
|
*op++ = (char)code, occ--;
|
|
oldcodep = sp->dec_codetab + code;
|
|
continue;
|
|
@@ -604,12 +616,19 @@ LZWDecodeCompat(TIFF* tif, tidata_t op0, tsize_t occ0,
|
|
break;
|
|
if (code == CODE_CLEAR) {
|
|
free_entp = sp->dec_codetab + CODE_FIRST;
|
|
+ _TIFFmemset(free_entp, 0, (CSIZE-CODE_FIRST)*sizeof (code_t));
|
|
nbits = BITS_MIN;
|
|
nbitsmask = MAXCODE(BITS_MIN);
|
|
maxcodep = sp->dec_codetab + nbitsmask;
|
|
NextCode(tif, sp, bp, code, GetNextCodeCompat);
|
|
if (code == CODE_EOI)
|
|
break;
|
|
+ if (code == CODE_CLEAR) {
|
|
+ TIFFErrorExt(tif->tif_clientdata, tif->tif_name,
|
|
+ "LZWDecode: Corrupted LZW table at scanline %d",
|
|
+ tif->tif_row);
|
|
+ return (0);
|
|
+ }
|
|
*op++ = code, occ--;
|
|
oldcodep = sp->dec_codetab + code;
|
|
continue;
|
|
@@ -647,6 +666,7 @@ LZWDecodeCompat(TIFF* tif, tidata_t op0, tsize_t occ0,
|
|
}
|
|
oldcodep = codep;
|
|
if (code >= 256) {
|
|
+ char *op_orig = op;
|
|
/*
|
|
* Code maps to a string, copy string
|
|
* value to output (written in reverse).
|
|
@@ -681,7 +701,7 @@ LZWDecodeCompat(TIFF* tif, tidata_t op0, tsize_t occ0,
|
|
tp = op;
|
|
do {
|
|
*--tp = codep->value;
|
|
- } while( (codep = codep->next) != NULL);
|
|
+ } while( (codep = codep->next) != NULL && tp > op_orig);
|
|
} else
|
|
*op++ = code, occ--;
|
|
}
|