Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
openSUSE:Evergreen:11.2
tiff
tiff-3.8.2-CVE-2013-1960.patch
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File tiff-3.8.2-CVE-2013-1960.patch of Package tiff
diff -cr tiff-3.8.2.orig/tools/tiff2pdf.c tiff-3.8.2/tools/tiff2pdf.c *** tiff-3.8.2.orig/tools/tiff2pdf.c Tue Mar 21 11:42:51 2006 --- tiff-3.8.2/tools/tiff2pdf.c Tue Apr 16 14:58:23 2013 *************** *** 3257,3286 **** uint32 height){ tsize_t i=0; ! uint16 ri =0; ! uint16 v_samp=1; ! uint16 h_samp=1; ! int j=0; ! ! i++; ! ! while(i<(*striplength)){ switch( strip[i] ){ ! case 0xd8: ! i+=2; break; ! case 0xc0: ! case 0xc1: ! case 0xc3: ! case 0xc9: ! case 0xca: if(no==0){ ! _TIFFmemcpy(&(buffer[*bufferoffset]), &(strip[i-1]), strip[i+2]+2); ! for(j=0;j<buffer[*bufferoffset+9];j++){ ! if( (buffer[*bufferoffset+11+(2*j)]>>4) > h_samp) ! h_samp = (buffer[*bufferoffset+11+(2*j)]>>4); ! if( (buffer[*bufferoffset+11+(2*j)] & 0x0f) > v_samp) ! v_samp = (buffer[*bufferoffset+11+(2*j)] & 0x0f); } v_samp*=8; h_samp*=8; --- 3257,3312 ---- uint32 height){ tsize_t i=0; ! ! while (i < *striplength) { ! tsize_t datalen; ! uint16 ri; ! uint16 v_samp; ! uint16 h_samp; ! int j; ! int ncomp; ! ! /* marker header: one or more FFs */ ! if (strip[i] != 0xff) ! return(0); ! i++; ! while (i < *striplength && strip[i] == 0xff) ! i++; ! if (i >= *striplength) ! return(0); ! /* SOI is the only pre-SOS marker without a length word */ ! if (strip[i] == 0xd8) ! datalen = 0; ! else { ! if ((*striplength - i) <= 2) ! return(0); ! datalen = (strip[i+1] << 8) | strip[i+2]; ! if (datalen < 2 || datalen >= (*striplength - i)) ! return(0); ! } switch( strip[i] ){ ! case 0xd8: /* SOI - start of image */ ! _TIFFmemcpy(&(buffer[*bufferoffset]), &(strip[i-1]), 2); ! *bufferoffset+=2; break; ! case 0xc0: /* SOF0 */ ! case 0xc1: /* SOF1 */ ! case 0xc3: /* SOF3 */ ! case 0xc9: /* SOF9 */ ! case 0xca: /* SOF10 */ if(no==0){ ! _TIFFmemcpy(&(buffer[*bufferoffset]), &(strip[i-1]), datalen+2); ! ncomp = buffer[*bufferoffset+9]; ! if (ncomp < 1 || ncomp > 4) ! return(0); ! v_samp=1; ! h_samp=1; ! for(j=0;j<ncomp;j++){ ! uint16 samp = buffer[*bufferoffset+11+(3*j)]; ! if( (samp>>4) > h_samp) ! h_samp = (samp>>4); ! if( (samp & 0x0f) > v_samp) ! v_samp = (samp & 0x0f); } v_samp*=8; h_samp*=8; *************** *** 3294,3338 **** (unsigned char) ((height>>8) & 0xff); buffer[*bufferoffset+6]= (unsigned char) (height & 0xff); ! *bufferoffset+=strip[i+2]+2; ! i+=strip[i+2]+2; ! buffer[(*bufferoffset)++]=0xff; buffer[(*bufferoffset)++]=0xdd; buffer[(*bufferoffset)++]=0x00; buffer[(*bufferoffset)++]=0x04; buffer[(*bufferoffset)++]=(ri >> 8) & 0xff; buffer[(*bufferoffset)++]= ri & 0xff; - } else { - i+=strip[i+2]+2; } break; ! case 0xc4: ! case 0xdb: ! _TIFFmemcpy(&(buffer[*bufferoffset]), &(strip[i-1]), strip[i+2]+2); ! *bufferoffset+=strip[i+2]+2; ! i+=strip[i+2]+2; break; ! case 0xda: if(no==0){ ! _TIFFmemcpy(&(buffer[*bufferoffset]), &(strip[i-1]), strip[i+2]+2); ! *bufferoffset+=strip[i+2]+2; ! i+=strip[i+2]+2; } else { buffer[(*bufferoffset)++]=0xff; buffer[(*bufferoffset)++]= (unsigned char)(0xd0 | ((no-1)%8)); - i+=strip[i+2]+2; } ! _TIFFmemcpy(&(buffer[*bufferoffset]), &(strip[i-1]), (*striplength)-i-1); ! *bufferoffset+=(*striplength)-i-1; return(1); default: ! i+=strip[i+2]+2; } } - return(0); } #endif --- 3320,3362 ---- (unsigned char) ((height>>8) & 0xff); buffer[*bufferoffset+6]= (unsigned char) (height & 0xff); ! *bufferoffset+=datalen+2; ! /* insert a DRI marker */ buffer[(*bufferoffset)++]=0xff; buffer[(*bufferoffset)++]=0xdd; buffer[(*bufferoffset)++]=0x00; buffer[(*bufferoffset)++]=0x04; buffer[(*bufferoffset)++]=(ri >> 8) & 0xff; buffer[(*bufferoffset)++]= ri & 0xff; } break; ! case 0xc4: /* DHT */ ! case 0xdb: /* DQT */ ! _TIFFmemcpy(&(buffer[*bufferoffset]), &(strip[i-1]), datalen+2); ! *bufferoffset+=datalen+2; break; ! case 0xda: /* SOS */ if(no==0){ ! _TIFFmemcpy(&(buffer[*bufferoffset]), &(strip[i-1]), datalen+2); ! *bufferoffset+=datalen+2; } else { buffer[(*bufferoffset)++]=0xff; buffer[(*bufferoffset)++]= (unsigned char)(0xd0 | ((no-1)%8)); } ! i += datalen + 1; ! /* copy remainder of strip */ ! _TIFFmemcpy(&(buffer[*bufferoffset]), &(strip[i]), *striplength - i); ! *bufferoffset+= *striplength - i; return(1); default: ! /* ignore any other marker */ ! break; } + i += datalen + 1; } + /* failed to find SOS marker */ return(0); } #endif
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor