summaryrefslogtreecommitdiffstats
path: root/abs/core-testing/libtiff/tiff-3.8.2-CVE-2008-2327.patch
diff options
context:
space:
mode:
authorJames Meyer <james.meyer@operamail.com>2009-08-01 03:14:54 (GMT)
committerJames Meyer <james.meyer@operamail.com>2009-08-01 03:14:54 (GMT)
commit7b35632e80f168d8c5f2220bf610ee7e24b81270 (patch)
tree8facf3fa565911f056a08e38f6a5eed0f756f9c6 /abs/core-testing/libtiff/tiff-3.8.2-CVE-2008-2327.patch
parent7e10f51870aa10be3b35d7912a7b54e30f608bb8 (diff)
parent7accc0f042acdfdca9f067b1d4011d6ac01b1a74 (diff)
downloadlinhes_pkgbuild-7b35632e80f168d8c5f2220bf610ee7e24b81270.zip
linhes_pkgbuild-7b35632e80f168d8c5f2220bf610ee7e24b81270.tar.gz
linhes_pkgbuild-7b35632e80f168d8c5f2220bf610ee7e24b81270.tar.bz2
Merge branch 'HEAD' of ssh://jams@knoppmyth.net/mount/repository/LinHES-PKGBUILD
Conflicts: abs/core-testing/LinHES-config/PKGBUILD
Diffstat (limited to 'abs/core-testing/libtiff/tiff-3.8.2-CVE-2008-2327.patch')
-rw-r--r--abs/core-testing/libtiff/tiff-3.8.2-CVE-2008-2327.patch64
1 files changed, 64 insertions, 0 deletions
diff --git a/abs/core-testing/libtiff/tiff-3.8.2-CVE-2008-2327.patch b/abs/core-testing/libtiff/tiff-3.8.2-CVE-2008-2327.patch
new file mode 100644
index 0000000..e6d74a6
--- /dev/null
+++ b/abs/core-testing/libtiff/tiff-3.8.2-CVE-2008-2327.patch
@@ -0,0 +1,64 @@
+Fixes security issues in libTIFF's handling of LZW-encoded
+images. The use of uninitialized data could lead to a buffer
+underflow and a crash or arbitrary code execution.
+
+CVE-ID: CVE-2008-2327
+Security bug: https://bugs.gentoo.org/show_bug.cgi?id=234080
+
+Index: tiff-3.8.2/libtiff/tif_lzw.c
+===================================================================
+--- tiff-3.8.2.orig/libtiff/tif_lzw.c
++++ tiff-3.8.2/libtiff/tif_lzw.c
+@@ -237,6 +237,12 @@ LZWSetupDecode(TIFF* tif)
+ sp->dec_codetab[code].length = 1;
+ sp->dec_codetab[code].next = NULL;
+ } while (code--);
++ /*
++ * Zero-out the unused entries
++ */
++ _TIFFmemset(&sp->dec_codetab[CODE_CLEAR], 0,
++ (CODE_FIRST-CODE_CLEAR)*sizeof (code_t));
++
+ }
+ return (1);
+ }
+@@ -408,12 +414,19 @@ LZWDecode(TIFF* tif, tidata_t op0, tsize
+ break;
+ if (code == CODE_CLEAR) {
+ free_entp = sp->dec_codetab + CODE_FIRST;
++ _TIFFmemset(free_entp, 0, (CSIZE-CODE_FIRST)*sizeof (code_t));
+ nbits = BITS_MIN;
+ nbitsmask = MAXCODE(BITS_MIN);
+ maxcodep = sp->dec_codetab + nbitsmask-1;
+ NextCode(tif, sp, bp, code, GetNextCode);
+ if (code == CODE_EOI)
+ break;
++ if (code == CODE_CLEAR) {
++ TIFFErrorExt(tif->tif_clientdata, tif->tif_name,
++ "LZWDecode: Corrupted LZW table at scanline %d",
++ tif->tif_row);
++ return (0);
++ }
+ *op++ = (char)code, occ--;
+ oldcodep = sp->dec_codetab + code;
+ continue;
+@@ -604,12 +617,19 @@ LZWDecodeCompat(TIFF* tif, tidata_t op0,
+ break;
+ if (code == CODE_CLEAR) {
+ free_entp = sp->dec_codetab + CODE_FIRST;
++ _TIFFmemset(free_entp, 0, (CSIZE-CODE_FIRST)*sizeof (code_t));
+ nbits = BITS_MIN;
+ nbitsmask = MAXCODE(BITS_MIN);
+ maxcodep = sp->dec_codetab + nbitsmask;
+ NextCode(tif, sp, bp, code, GetNextCodeCompat);
+ if (code == CODE_EOI)
+ break;
++ if (code == CODE_CLEAR) {
++ TIFFErrorExt(tif->tif_clientdata, tif->tif_name,
++ "LZWDecode: Corrupted LZW table at scanline %d",
++ tif->tif_row);
++ return (0);
++ }
+ *op++ = code, occ--;
+ oldcodep = sp->dec_codetab + code;
+ continue;