summaryrefslogtreecommitdiffstats
path: root/source/l/libtiff/libtiff-CVE-2011-1167.patch
diff options
context:
space:
mode:
Diffstat (limited to 'source/l/libtiff/libtiff-CVE-2011-1167.patch')
-rw-r--r--source/l/libtiff/libtiff-CVE-2011-1167.patch53
1 files changed, 53 insertions, 0 deletions
diff --git a/source/l/libtiff/libtiff-CVE-2011-1167.patch b/source/l/libtiff/libtiff-CVE-2011-1167.patch
new file mode 100644
index 000000000..d3fcf6f64
--- /dev/null
+++ b/source/l/libtiff/libtiff-CVE-2011-1167.patch
@@ -0,0 +1,53 @@
+Upstream patch for CVE-2011-1167, heap-based buffer overflow in thunder
+decoder (ZDI-CAN-1004).
+
+
+diff -Naur tiff-3.9.4.orig/libtiff/tif_thunder.c tiff-3.9.4/libtiff/tif_thunder.c
+--- tiff-3.9.4.orig/libtiff/tif_thunder.c 2010-06-08 14:50:43.000000000 -0400
++++ tiff-3.9.4/libtiff/tif_thunder.c 2011-03-18 12:17:13.635796403 -0400
+@@ -55,12 +55,32 @@
+ static const int twobitdeltas[4] = { 0, 1, 0, -1 };
+ static const int threebitdeltas[8] = { 0, 1, 2, 3, 0, -3, -2, -1 };
+
+-#define SETPIXEL(op, v) { \
+- lastpixel = (v) & 0xf; \
+- if (npixels++ & 1) \
+- *op++ |= lastpixel; \
+- else \
++#define SETPIXEL(op, v) { \
++ lastpixel = (v) & 0xf; \
++ if ( npixels < maxpixels ) \
++ { \
++ if (npixels++ & 1) \
++ *op++ |= lastpixel; \
++ else \
+ op[0] = (tidataval_t) (lastpixel << 4); \
++ } \
++}
++
++static int
++ThunderSetupDecode(TIFF* tif)
++{
++ static const char module[] = "ThunderSetupDecode";
++
++ if( tif->tif_dir.td_bitspersample != 4 )
++ {
++ TIFFErrorExt(tif->tif_clientdata, module,
++ "Wrong bitspersample value (%d), Thunder decoder only supports 4bits per sample.",
++ (int) tif->tif_dir.td_bitspersample );
++ return 0;
++ }
++
++
++ return (1);
+ }
+
+ static int
+@@ -151,6 +171,7 @@
+ (void) scheme;
+ tif->tif_decoderow = ThunderDecodeRow;
+ tif->tif_decodestrip = ThunderDecodeRow;
++ tif->tif_setupdecode = ThunderSetupDecode;
+ return (1);
+ }
+ #endif /* THUNDER_SUPPORT */