rpms / compat-libtiff3

Clone
Source Code
GIT

Blame SOURCES/libtiff-CVE-2013-4243.patch

c4 c5 c5-plus c6 c6-plus c7 c7-beta c8 c8-beta c8s c9-beta
  1.   228a3064f7d7eb2f6e24ae3313348ee99095438b
  2.   SOURCES
  3.   libtiff-CVE-2013-4243.patch
Blob History Raw
7c98bb 
diff --git a/tools/gif2tiff.c b/tools/gif2tiff.c
7c98bb 
index 2786974..9262573 100644
7c98bb 
--- a/tools/gif2tiff.c
7c98bb 
+++ b/tools/gif2tiff.c
7c98bb 
@@ -276,6 +276,10 @@ readgifimage(char* mode)
7c98bb 
         fprintf(stderr, "no colormap present for image\n");
7c98bb 
         return (0);
7c98bb 
     }
7c98bb 
+    if (width == 0 || height == 0) {
7c98bb 
+        fprintf(stderr, "Invalid value of width or height\n");
7c98bb 
+        return(0);
7c98bb 
+    }
7c98bb 
     if ((raster = (unsigned char*) _TIFFmalloc(width*height+EXTRAFUDGE)) == NULL) {
7c98bb 
         fprintf(stderr, "not enough memory for image\n");
7c98bb 
         return (0);
7c98bb 
@@ -402,6 +406,10 @@ process(register int code, unsigned char** fill)
7c98bb 
             fprintf(stderr, "bad input: code=%d is larger than clear=%d\n",code, clear);
7c98bb 
             return 0;
7c98bb 
         }
7c98bb 
+        if (*fill >= raster + width*height) {
7c98bb 
+            fprintf(stderr, "raster full before eoi code\n");
7c98bb 
+            return 0;
7c98bb 
+        }
7c98bb 
 	*(*fill)++ = suffix[code];
7c98bb 
 	firstchar = oldcode = code;
7c98bb 
 	return 1;
7c98bb 
@@ -432,6 +440,10 @@ process(register int code, unsigned char** fill)
7c98bb 
     }
7c98bb 
     oldcode = incode;
7c98bb 
     do {
7c98bb 
+        if (*fill >= raster + width*height) {
7c98bb 
+            fprintf(stderr, "raster full before eoi code\n");
7c98bb 
+            return 0;
7c98bb 
+        }
7c98bb 
 	*(*fill)++ = *--stackp;
7c98bb 
     } while (stackp > stack);
7c98bb 
     return 1;

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation