Petr Gajdos
daa5f36cc1
CVE-2014-8129, CVE-2014-8130, CVE-2015-1547
bnc#914890, bnc#916925, bnc#916927
+ erouault.2856.patch
+ erouault.2857.patch
+ erouault.2858.patch
+ erouault.2859.patch
+ erouault.2860.patch
+ erouault.2861.patch
+ erouault.2862.patch
+ erouault.2863.patch
+ erouault.2876.patch
+ bfriesen.2805.patch
+ tiff-handle-TIFFTAG_CONSECUTIVEBADFAXLINES.patch
+ tiff-handle-TIFFTAG_PREDICTOR.patch
+ tiff-dither-malloc-check.patch
OBS-URL: https://build.opensuse.org/package/show/graphics/tiff?expand=0&rev=65
91 lines
2.1 KiB
Diff
91 lines
2.1 KiB
Diff
---------------------
|
|
PatchSet 2876
|
|
Date: 2014/12/29 14:09:11
|
|
Author: erouault
|
|
Branch: HEAD
|
|
Tag: (none)
|
|
Log:
|
|
* libtiff/tif_next.c: add new tests to check that we don't read outside of
|
|
the compressed input stream buffer.
|
|
|
|
* libtiff/tif_getimage.c: in OJPEG case, fix checks on strile width/height
|
|
|
|
Members:
|
|
ChangeLog:1.980->1.981
|
|
libtiff/tif_getimage.c:1.85->1.86
|
|
libtiff/tif_next.c:1.15->1.16
|
|
|
|
Index: libtiff/libtiff/tif_getimage.c
|
|
diff -u libtiff/libtiff/tif_getimage.c:1.85 libtiff/libtiff/tif_getimage.c:1.86
|
|
--- libtiff/libtiff/tif_getimage.c:1.85 Thu Dec 25 13:29:11 2014
|
|
+++ libtiff/libtiff/tif_getimage.c Mon Dec 29 07:09:11 2014
|
|
@@ -1871,7 +1871,7 @@
|
|
|
|
(void) y;
|
|
fromskew = (fromskew * 10) / 4;
|
|
- if ((h & 3) == 0 && (w & 1) == 0) {
|
|
+ if ((w & 3) == 0 && (h & 1) == 0) {
|
|
for (; h >= 2; h -= 2) {
|
|
x = w>>2;
|
|
do {
|
|
@@ -1948,7 +1948,7 @@
|
|
/* XXX adjust fromskew */
|
|
do {
|
|
x = w>>2;
|
|
- do {
|
|
+ while(x>0) {
|
|
int32 Cb = pp[4];
|
|
int32 Cr = pp[5];
|
|
|
|
@@ -1959,7 +1959,8 @@
|
|
|
|
cp += 4;
|
|
pp += 6;
|
|
- } while (--x);
|
|
+ x--;
|
|
+ }
|
|
|
|
if( (w&3) != 0 )
|
|
{
|
|
@@ -2050,7 +2051,7 @@
|
|
fromskew = (fromskew * 4) / 2;
|
|
do {
|
|
x = w>>1;
|
|
- do {
|
|
+ while(x>0) {
|
|
int32 Cb = pp[2];
|
|
int32 Cr = pp[3];
|
|
|
|
@@ -2059,7 +2060,8 @@
|
|
|
|
cp += 2;
|
|
pp += 4;
|
|
- } while (--x);
|
|
+ x --;
|
|
+ }
|
|
|
|
if( (w&1) != 0 )
|
|
{
|
|
Index: libtiff/libtiff/tif_next.c
|
|
diff -u libtiff/libtiff/tif_next.c:1.15 libtiff/libtiff/tif_next.c:1.16
|
|
--- libtiff/libtiff/tif_next.c:1.15 Sun Dec 21 13:07:48 2014
|
|
+++ libtiff/libtiff/tif_next.c Mon Dec 29 07:09:11 2014
|
|
@@ -71,7 +71,7 @@
|
|
TIFFErrorExt(tif->tif_clientdata, module, "Fractional scanlines cannot be read");
|
|
return (0);
|
|
}
|
|
- for (row = buf; occ > 0; occ -= scanline, row += scanline) {
|
|
+ for (row = buf; cc > 0 && occ > 0; occ -= scanline, row += scanline) {
|
|
n = *bp++, cc--;
|
|
switch (n) {
|
|
case LITERALROW:
|
|
@@ -90,6 +90,8 @@
|
|
* The scanline has a literal span that begins at some
|
|
* offset.
|
|
*/
|
|
+ if( cc < 4 )
|
|
+ goto bad;
|
|
off = (bp[0] * 256) + bp[1];
|
|
n = (bp[2] * 256) + bp[3];
|
|
if (cc < 4+n || off+n > scanline)
|