diff options
| author | James Meyer <james.meyer@operamail.com> | 2012-08-07 16:06:53 (GMT) |
|---|---|---|
| committer | James Meyer <james.meyer@operamail.com> | 2012-08-07 16:06:53 (GMT) |
| commit | 0549aa634442b489b747395153546f7d1bbf454c (patch) | |
| tree | 6597bf6c158c03074320fa8fd98eddee47563611 /abs/core/libtiff/tiff-3.8.2-CVE-2008-2327.patch | |
| parent | 72bc700c43991b8e284200d165220531a815472e (diff) | |
| download | linhes_pkgbuild-0549aa634442b489b747395153546f7d1bbf454c.zip linhes_pkgbuild-0549aa634442b489b747395153546f7d1bbf454c.tar.gz linhes_pkgbuild-0549aa634442b489b747395153546f7d1bbf454c.tar.bz2 | |
libtiff 4.0.2
Diffstat (limited to 'abs/core/libtiff/tiff-3.8.2-CVE-2008-2327.patch')
| -rw-r--r-- | abs/core/libtiff/tiff-3.8.2-CVE-2008-2327.patch | 64 |
1 files changed, 0 insertions, 64 deletions
diff --git a/abs/core/libtiff/tiff-3.8.2-CVE-2008-2327.patch b/abs/core/libtiff/tiff-3.8.2-CVE-2008-2327.patch deleted file mode 100644 index e6d74a6..0000000 --- a/abs/core/libtiff/tiff-3.8.2-CVE-2008-2327.patch +++ /dev/null @@ -1,64 +0,0 @@ -Fixes security issues in libTIFF's handling of LZW-encoded -images. The use of uninitialized data could lead to a buffer -underflow and a crash or arbitrary code execution. - -CVE-ID: CVE-2008-2327 -Security bug: https://bugs.gentoo.org/show_bug.cgi?id=234080 - -Index: tiff-3.8.2/libtiff/tif_lzw.c -=================================================================== ---- tiff-3.8.2.orig/libtiff/tif_lzw.c -+++ tiff-3.8.2/libtiff/tif_lzw.c -@@ -237,6 +237,12 @@ LZWSetupDecode(TIFF* tif) - sp->dec_codetab[code].length = 1; - sp->dec_codetab[code].next = NULL; - } while (code--); -+ /* -+ * Zero-out the unused entries -+ */ -+ _TIFFmemset(&sp->dec_codetab[CODE_CLEAR], 0, -+ (CODE_FIRST-CODE_CLEAR)*sizeof (code_t)); -+ - } - return (1); - } -@@ -408,12 +414,19 @@ LZWDecode(TIFF* tif, tidata_t op0, tsize - break; - if (code == CODE_CLEAR) { - free_entp = sp->dec_codetab + CODE_FIRST; -+ _TIFFmemset(free_entp, 0, (CSIZE-CODE_FIRST)*sizeof (code_t)); - nbits = BITS_MIN; - nbitsmask = MAXCODE(BITS_MIN); - maxcodep = sp->dec_codetab + nbitsmask-1; - NextCode(tif, sp, bp, code, GetNextCode); - if (code == CODE_EOI) - break; -+ if (code == CODE_CLEAR) { -+ TIFFErrorExt(tif->tif_clientdata, tif->tif_name, -+ "LZWDecode: Corrupted LZW table at scanline %d", -+ tif->tif_row); -+ return (0); -+ } - *op++ = (char)code, occ--; - oldcodep = sp->dec_codetab + code; - continue; -@@ -604,12 +617,19 @@ LZWDecodeCompat(TIFF* tif, tidata_t op0, - break; - if (code == CODE_CLEAR) { - free_entp = sp->dec_codetab + CODE_FIRST; -+ _TIFFmemset(free_entp, 0, (CSIZE-CODE_FIRST)*sizeof (code_t)); - nbits = BITS_MIN; - nbitsmask = MAXCODE(BITS_MIN); - maxcodep = sp->dec_codetab + nbitsmask; - NextCode(tif, sp, bp, code, GetNextCodeCompat); - if (code == CODE_EOI) - break; -+ if (code == CODE_CLEAR) { -+ TIFFErrorExt(tif->tif_clientdata, tif->tif_name, -+ "LZWDecode: Corrupted LZW table at scanline %d", -+ tif->tif_row); -+ return (0); -+ } - *op++ = code, occ--; - oldcodep = sp->dec_codetab + code; - continue; |