Blame SOURCES/libtiff-CVE-2009-5022.patch

7c98bb
Check that image width shown in SOF doesn't exceed what libtiff has
7c98bb
allocated based on ImageWidth.  Patch from upstream bug
7c98bb
http://bugzilla.maptools.org/show_bug.cgi?id=1999
7c98bb
7c98bb
7c98bb
diff -Naur tiff-3.9.4.orig/libtiff/tif_ojpeg.c tiff-3.9.4/libtiff/tif_ojpeg.c
7c98bb
--- tiff-3.9.4.orig/libtiff/tif_ojpeg.c	2010-06-08 19:29:51.000000000 -0400
7c98bb
+++ tiff-3.9.4/libtiff/tif_ojpeg.c	2011-04-13 11:38:55.486008471 -0400
7c98bb
@@ -1537,7 +1537,6 @@
7c98bb
 		OJPEGReadSkip(sp,4);
7c98bb
 	else
7c98bb
 	{
7c98bb
-		/* TODO: probably best to also add check on allowed upper bound, especially x, may cause buffer overflow otherwise i think */
7c98bb
 		/* Y: Number of lines */
7c98bb
 		if (OJPEGReadWord(sp,&p)==0)
7c98bb
 			return(0);
7c98bb
@@ -1555,6 +1554,11 @@
7c98bb
 			TIFFErrorExt(tif->tif_clientdata,module,"JPEG compressed data indicates unexpected width");
7c98bb
 			return(0);
7c98bb
 		}
7c98bb
+		if ((uint32)p>sp->strile_width)
7c98bb
+		{
7c98bb
+			TIFFErrorExt(tif->tif_clientdata,module,"JPEG compressed data image width exceeds expected image width");
7c98bb
+			return(0);
7c98bb
+		}
7c98bb
 		sp->sof_x=p;
7c98bb
 	}
7c98bb
 	/* Nf: Number of image components in frame */