aboutsummaryrefslogtreecommitdiff
path: root/gnu/packages/patches/libtiff-CVE-2014-8128-pt1.patch
diff options
context:
space:
mode:
Diffstat (limited to 'gnu/packages/patches/libtiff-CVE-2014-8128-pt1.patch')
-rw-r--r--gnu/packages/patches/libtiff-CVE-2014-8128-pt1.patch32
1 files changed, 32 insertions, 0 deletions
diff --git a/gnu/packages/patches/libtiff-CVE-2014-8128-pt1.patch b/gnu/packages/patches/libtiff-CVE-2014-8128-pt1.patch
new file mode 100644
index 0000000000..fda018b7bb
--- /dev/null
+++ b/gnu/packages/patches/libtiff-CVE-2014-8128-pt1.patch
@@ -0,0 +1,32 @@
+Copied from Debian
+
+From 3206e0c752a62da1ae606867113ed3bf9bf73306 Mon Sep 17 00:00:00 2001
+From: erouault <erouault>
+Date: Sun, 21 Dec 2014 19:53:59 +0000
+Subject: [PATCH] * tools/thumbnail.c: fix out-of-buffer write
+ http://bugzilla.maptools.org/show_bug.cgi?id=2489 (CVE-2014-8128)
+
+---
+ ChangeLog | 5 +++++
+ tools/thumbnail.c | 8 +++++++-
+ 2 files changed, 12 insertions(+), 1 deletion(-)
+
+diff --git a/tools/thumbnail.c b/tools/thumbnail.c
+index fab63f6..c50bbff 100644
+--- a/tools/thumbnail.c
++++ b/tools/thumbnail.c
+@@ -568,7 +568,13 @@ setImage1(const uint8* br, uint32 rw, uint32 rh)
+ err -= limit;
+ sy++;
+ if (err >= limit)
+- rows[nrows++] = br + bpr*sy;
++ {
++ /* We should perhaps error loudly, but I can't make sense of that */
++ /* code... */
++ if( nrows == 256 )
++ break;
++ rows[nrows++] = br + bpr*sy;
++ }
+ }
+ setrow(row, nrows, rows);
+ row += tnw;