Upstream patch for CVE-2011-1167, heap-based buffer overflow in thunder

decoder (ZDI-CAN-1004).

diff -Naur tiff-3.9.4.orig/libtiff/tif_thunder.c tiff-3.9.4/libtiff/tif_thunder.c

--- tiff-3.9.4.orig/libtiff/tif_thunder.c	2010-06-08 14:50:43.000000000 -0400

+++ tiff-3.9.4/libtiff/tif_thunder.c	2011-03-18 12:17:13.635796403 -0400

@@ -55,12 +55,32 @@

 static const int twobitdeltas[4] = { 0, 1, 0, -1 };

 static const int threebitdeltas[8] = { 0, 1, 2, 3, 0, -3, -2, -1 };

-#define	SETPIXEL(op, v) { \

-	lastpixel = (v) & 0xf; \

-	if (npixels++ & 1) \

-	    *op++ |= lastpixel; \

-	else \

+#define	SETPIXEL(op, v) {                     \

+	lastpixel = (v) & 0xf;                \

+        if ( npixels < maxpixels )         \

+        {                                     \

+	  if (npixels++ & 1)                  \

+	    *op++ |= lastpixel;               \

+	  else                                \

 	    op[0] = (tidataval_t) (lastpixel << 4); \

+        }                                     \

+}

+

+static int

+ThunderSetupDecode(TIFF* tif)

+{

+	static const char module[] = "ThunderSetupDecode";

+

+        if( tif->tif_dir.td_bitspersample != 4 )

+        {

+                TIFFErrorExt(tif->tif_clientdata, module,

+                             "Wrong bitspersample value (%d), Thunder decoder only supports 4bits per sample.",

+                             (int) tif->tif_dir.td_bitspersample );

+                return 0;

+        }

+        

+

+	return (1);

 }

 static int

@@ -151,6 +171,7 @@

 	(void) scheme;

 	tif->tif_decoderow = ThunderDecodeRow;

 	tif->tif_decodestrip = ThunderDecodeRow;

+	tif->tif_setupdecode = ThunderSetupDecode;

 	return (1);

 }

 #endif /* THUNDER_SUPPORT */