aboutsummaryrefslogtreecommitdiff
path: root/gnu/packages/patches/libtiff-heap-overflow-tiffcrop.patch
diff options
context:
space:
mode:
Diffstat (limited to 'gnu/packages/patches/libtiff-heap-overflow-tiffcrop.patch')
-rw-r--r--gnu/packages/patches/libtiff-heap-overflow-tiffcrop.patch60
1 files changed, 60 insertions, 0 deletions
diff --git a/gnu/packages/patches/libtiff-heap-overflow-tiffcrop.patch b/gnu/packages/patches/libtiff-heap-overflow-tiffcrop.patch
new file mode 100644
index 0000000000..8166c55758
--- /dev/null
+++ b/gnu/packages/patches/libtiff-heap-overflow-tiffcrop.patch
@@ -0,0 +1,60 @@
+Fix heap-based buffer overflow in combineSeparateSamples16bits():
+
+http://bugzilla.maptools.org/show_bug.cgi?id=2621
+
+2016-12-03 Even Rouault <even.rouault at spatialys.com>
+
+ * tools/tiffcrop.c: add 3 extra bytes at end of strip buffer in
+ readSeparateStripsIntoBuffer() to avoid read outside of heap allocated
+buffer.
+ Reported by Agostina Sarubo.
+ Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2621
+
+/cvs/maptools/cvsroot/libtiff/ChangeLog,v <-- ChangeLog
+new revision: 1.1179; previous revision: 1.1178
+/cvs/maptools/cvsroot/libtiff/tools/tiffcrop.c,v <-- tools/tiffcrop.c
+new revision: 1.48; previous revision: 1.47
+
+Index: libtiff/tools/tiffcrop.c
+===================================================================
+RCS file: /cvs/maptools/cvsroot/libtiff/tools/tiffcrop.c,v
+retrieving revision 1.47
+retrieving revision 1.48
+diff -u -r1.47 -r1.48
+--- libtiff/tools/tiffcrop.c 3 Dec 2016 11:35:56 -0000 1.47
++++ libtiff/tools/tiffcrop.c 3 Dec 2016 12:19:32 -0000 1.48
+@@ -1,4 +1,4 @@
+-/* $Id: tiffcrop.c,v 1.47 2016-12-03 11:35:56 erouault Exp $ */
++/* $Id: tiffcrop.c,v 1.48 2016-12-03 12:19:32 erouault Exp $ */
+
+ /* tiffcrop.c -- a port of tiffcp.c extended to include manipulations of
+ * the image data through additional options listed below
+@@ -4815,10 +4815,17 @@
+ nstrips = TIFFNumberOfStrips(in);
+ strips_per_sample = nstrips /spp;
+
++ /* Add 3 padding bytes for combineSeparateSamples32bits */
++ if( (size_t) stripsize > 0xFFFFFFFFU - 3U )
++ {
++ TIFFError("readSeparateStripsIntoBuffer", "Integer overflow when calculating buffer size.");
++ exit(-1);
++ }
++
+ for (s = 0; (s < spp) && (s < MAX_SAMPLES); s++)
+ {
+ srcbuffs[s] = NULL;
+- buff = _TIFFmalloc(stripsize);
++ buff = _TIFFmalloc(stripsize + 3);
+ if (!buff)
+ {
+ TIFFError ("readSeparateStripsIntoBuffer",
+@@ -4827,6 +4834,9 @@
+ _TIFFfree (srcbuffs[i]);
+ return 0;
+ }
++ buff[stripsize] = 0;
++ buff[stripsize+1] = 0;
++ buff[stripsize+2] = 0;
+ srcbuffs[s] = buff;
+ }
+