25 lines
739 B
Plaintext
25 lines
739 B
Plaintext
$OpenBSD: patch-libtiff_tif_next_c,v 1.3 2008/10/25 09:39:29 naddy Exp $
|
|
|
|
CVE-2006-3462
|
|
|
|
--- libtiff/tif_next.c.orig Wed Dec 21 13:33:56 2005
|
|
+++ libtiff/tif_next.c Fri Oct 24 18:54:53 2008
|
|
@@ -105,11 +105,16 @@ NeXTDecode(TIFF* tif, tidata_t buf, tsize_t occ, tsamp
|
|
* as codes of the form <color><npixels>
|
|
* until we've filled the scanline.
|
|
*/
|
|
+ /*
|
|
+ * Ensure the run does not exceed the scanline
|
|
+ * bounds, potentially resulting in a security issue.
|
|
+ * -- taviso@google.com 14 Jun 2006.
|
|
+ */
|
|
op = row;
|
|
for (;;) {
|
|
grey = (n>>6) & 0x3;
|
|
n &= 0x3f;
|
|
- while (n-- > 0)
|
|
+ while (n-- > 0 && npixels < imagewidth)
|
|
SETPIXEL(op, grey);
|
|
if (npixels >= (int) imagewidth)
|
|
break;
|