Blame SOURCES/libtiff-CVE-2009-5022.patch
|
 |
6456d8 |
Check that image width shown in SOF doesn't exceed what libtiff has
|
|
|
6456d8 |
allocated based on ImageWidth. Patch from upstream bug
|
|
|
6456d8 |
http://bugzilla.maptools.org/show_bug.cgi?id=1999
|
|
|
6456d8 |
|
|
|
6456d8 |
|
|
|
6456d8 |
diff -Naur tiff-3.9.4.orig/libtiff/tif_ojpeg.c tiff-3.9.4/libtiff/tif_ojpeg.c
|
|
|
6456d8 |
--- tiff-3.9.4.orig/libtiff/tif_ojpeg.c 2010-06-08 19:29:51.000000000 -0400
|
|
|
6456d8 |
+++ tiff-3.9.4/libtiff/tif_ojpeg.c 2011-04-13 11:38:55.486008471 -0400
|
|
|
6456d8 |
@@ -1537,7 +1537,6 @@
|
|
|
6456d8 |
OJPEGReadSkip(sp,4);
|
|
|
6456d8 |
else
|
|
|
6456d8 |
{
|
|
|
6456d8 |
- /* TODO: probably best to also add check on allowed upper bound, especially x, may cause buffer overflow otherwise i think */
|
|
|
6456d8 |
/* Y: Number of lines */
|
|
|
6456d8 |
if (OJPEGReadWord(sp,&p)==0)
|
|
|
6456d8 |
return(0);
|
|
|
6456d8 |
@@ -1555,6 +1554,11 @@
|
|
|
6456d8 |
TIFFErrorExt(tif->tif_clientdata,module,"JPEG compressed data indicates unexpected width");
|
|
|
6456d8 |
return(0);
|
|
|
6456d8 |
}
|
|
|
6456d8 |
+ if ((uint32)p>sp->strile_width)
|
|
|
6456d8 |
+ {
|
|
|
6456d8 |
+ TIFFErrorExt(tif->tif_clientdata,module,"JPEG compressed data image width exceeds expected image width");
|
|
|
6456d8 |
+ return(0);
|
|
|
6456d8 |
+ }
|
|
|
6456d8 |
sp->sof_x=p;
|
|
|
6456d8 |
}
|
|
|
6456d8 |
/* Nf: Number of image components in frame */
|