pkgsrc/graphics/tiff/patches/patch-ba

$NetBSD: patch-ba,v 1.1 2006/08/02 15:42:25 salo Exp $

Security fix for SA21304.

--- libtiff/tif_next.c.orig	2005-12-21 13:33:56.000000000 +0100
+++ libtiff/tif_next.c	2006-08-02 17:18:41.000000000 +0200
@@ -105,11 +105,16 @@ NeXTDecode(TIFF* tif, tidata_t buf, tsiz
 			 * as codes of the form <color><npixels>
 			 * until we've filled the scanline.
 			 */
+			/*
+			 * Ensure the run does not exceed the scanline
+			 * bounds, potentially resulting in a security issue.
+			 * -- taviso@google.com 14 Jun 2006.
+			 */
 			op = row;
 			for (;;) {
 				grey = (n>>6) & 0x3;
 				n &= 0x3f;
-				while (n-- > 0)
+				while (n-- > 0 && npixels < scanline)
 					SETPIXEL(op, grey);
 				if (npixels >= (int) imagewidth)
 					break;
Security fixes for SA21304: "Some vulnerabilities have been reported in libTIFF, which can be exploited by malicious people to cause a DoS (Denial of Service) or potentially compromise a vulnerable system. The vulnerabilities are caused due to various heap and integer overflows when processing TIFF images and can be exploited via a specially crafted TIFF image. Successful exploitation allows crashing applications linked against libTIFF and may also allow execution of arbitrary code." http://secunia.com/advisories/21304/ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3459 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3460 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3461 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3462 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3463 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3464 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3465 Patches from Tavis Ormandy, Google Security Team via SUSE. Bump PKGREVISION. 2006-08-02 17:42:25 +02:00			$NetBSD: patch-ba,v 1.1 2006/08/02 15:42:25 salo Exp $

			`Security fix for SA21304.`

			`--- libtiff/tif_next.c.orig 2005-12-21 13:33:56.000000000 +0100`
			`+++ libtiff/tif_next.c 2006-08-02 17:18:41.000000000 +0200`
			`@@ -105,11 +105,16 @@ NeXTDecode(TIFF* tif, tidata_t buf, tsiz`
			`* as codes of the form <color><npixels>`
			`* until we've filled the scanline.`
			`*/`
			`+ /*`
			`+ * Ensure the run does not exceed the scanline`
			`+ * bounds, potentially resulting in a security issue.`
			`+ * -- taviso@google.com 14 Jun 2006.`
			`+ */`
			`op = row;`
			`for (;;) {`
			`grey = (n>>6) & 0x3;`
			`n &= 0x3f;`
			`- while (n-- > 0)`
			`+ while (n-- > 0 && npixels < scanline)`
			`SETPIXEL(op, grey);`
			`if (npixels >= (int) imagewidth)`
			`break;`