298dde72b0
"Some vulnerabilities have been reported in libTIFF, which can be exploited by malicious people to cause a DoS (Denial of Service) or potentially compromise a vulnerable system. The vulnerabilities are caused due to various heap and integer overflows when processing TIFF images and can be exploited via a specially crafted TIFF image. Successful exploitation allows crashing applications linked against libTIFF and may also allow execution of arbitrary code." http://secunia.com/advisories/21304/ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3459 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3460 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3461 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3462 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3463 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3464 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3465 Patches from Tavis Ormandy, Google Security Team via SUSE. Bump PKGREVISION.
24 lines
739 B
Text
24 lines
739 B
Text
$NetBSD: patch-ba,v 1.1 2006/08/02 15:42:25 salo Exp $
|
|
|
|
Security fix for SA21304.
|
|
|
|
--- libtiff/tif_next.c.orig 2005-12-21 13:33:56.000000000 +0100
|
|
+++ libtiff/tif_next.c 2006-08-02 17:18:41.000000000 +0200
|
|
@@ -105,11 +105,16 @@ NeXTDecode(TIFF* tif, tidata_t buf, tsiz
|
|
* as codes of the form <color><npixels>
|
|
* until we've filled the scanline.
|
|
*/
|
|
+ /*
|
|
+ * Ensure the run does not exceed the scanline
|
|
+ * bounds, potentially resulting in a security issue.
|
|
+ * -- taviso@google.com 14 Jun 2006.
|
|
+ */
|
|
op = row;
|
|
for (;;) {
|
|
grey = (n>>6) & 0x3;
|
|
n &= 0x3f;
|
|
- while (n-- > 0)
|
|
+ while (n-- > 0 && npixels < scanline)
|
|
SETPIXEL(op, grey);
|
|
if (npixels >= (int) imagewidth)
|
|
break;
|