From d15bb4e7efca625e3d5265000ebd9df08c59f8c1 Mon Sep 17 00:00:00 2001
From: Nathan Harris <nharris@eoimaging.com>
Date: Fri, 17 Jul 2009 16:42:40 -0400
Subject: libtiff: missed a patch file

---
 .../libtiff/tiff-3.8.2-CVE-2008-2327.patch         | 64 ++++++++++++++++++++++
 1 file changed, 64 insertions(+)
 create mode 100644 abs/core-testing/libtiff/tiff-3.8.2-CVE-2008-2327.patch

diff --git a/abs/core-testing/libtiff/tiff-3.8.2-CVE-2008-2327.patch b/abs/core-testing/libtiff/tiff-3.8.2-CVE-2008-2327.patch
new file mode 100644
index 0000000..e6d74a6
--- /dev/null
+++ b/abs/core-testing/libtiff/tiff-3.8.2-CVE-2008-2327.patch
@@ -0,0 +1,64 @@
+Fixes security issues in libTIFF's handling of LZW-encoded
+images.  The use of uninitialized data could lead to a buffer
+underflow and a crash or arbitrary code execution.
+
+CVE-ID: CVE-2008-2327
+Security bug: https://bugs.gentoo.org/show_bug.cgi?id=234080
+
+Index: tiff-3.8.2/libtiff/tif_lzw.c
+===================================================================
+--- tiff-3.8.2.orig/libtiff/tif_lzw.c
++++ tiff-3.8.2/libtiff/tif_lzw.c
+@@ -237,6 +237,12 @@ LZWSetupDecode(TIFF* tif)
+                     sp->dec_codetab[code].length = 1;
+                     sp->dec_codetab[code].next = NULL;
+                 } while (code--);
++		/*
++		* Zero-out the unused entries
++		*/
++		_TIFFmemset(&sp->dec_codetab[CODE_CLEAR], 0,
++		(CODE_FIRST-CODE_CLEAR)*sizeof (code_t));
++
+ 	}
+ 	return (1);
+ }
+@@ -408,12 +414,19 @@ LZWDecode(TIFF* tif, tidata_t op0, tsize
+ 			break;
+ 		if (code == CODE_CLEAR) {
+ 			free_entp = sp->dec_codetab + CODE_FIRST;
++			_TIFFmemset(free_entp, 0, (CSIZE-CODE_FIRST)*sizeof (code_t));
+ 			nbits = BITS_MIN;
+ 			nbitsmask = MAXCODE(BITS_MIN);
+ 			maxcodep = sp->dec_codetab + nbitsmask-1;
+ 			NextCode(tif, sp, bp, code, GetNextCode);
+ 			if (code == CODE_EOI)
+ 				break;
++			if (code == CODE_CLEAR) {
++				TIFFErrorExt(tif->tif_clientdata, tif->tif_name,
++				"LZWDecode: Corrupted LZW table at scanline %d",
++				tif->tif_row);
++				return (0);
++			}
+ 			*op++ = (char)code, occ--;
+ 			oldcodep = sp->dec_codetab + code;
+ 			continue;
+@@ -604,12 +617,19 @@ LZWDecodeCompat(TIFF* tif, tidata_t op0,
+ 			break;
+ 		if (code == CODE_CLEAR) {
+ 			free_entp = sp->dec_codetab + CODE_FIRST;
++			_TIFFmemset(free_entp, 0, (CSIZE-CODE_FIRST)*sizeof (code_t));
+ 			nbits = BITS_MIN;
+ 			nbitsmask = MAXCODE(BITS_MIN);
+ 			maxcodep = sp->dec_codetab + nbitsmask;
+ 			NextCode(tif, sp, bp, code, GetNextCodeCompat);
+ 			if (code == CODE_EOI)
+ 				break;
++			if (code == CODE_CLEAR) {
++				TIFFErrorExt(tif->tif_clientdata, tif->tif_name,
++				"LZWDecode: Corrupted LZW table at scanline %d",
++				tif->tif_row);
++				return (0);
++			}
+ 			*op++ = code, occ--;
+ 			oldcodep = sp->dec_codetab + code;
+ 			continue;
-- 
cgit v0.12