Overview

File tiff-3.8.2-CVE-2013-1960.patch of Package tiff

diff -cr tiff-3.8.2.orig/tools/tiff2pdf.c tiff-3.8.2/tools/tiff2pdf.c
*** tiff-3.8.2.orig/tools/tiff2pdf.c	Tue Mar 21 11:42:51 2006
--- tiff-3.8.2/tools/tiff2pdf.c	Tue Apr 16 14:58:23 2013
***************
*** 3257,3286 ****
  	uint32 height){
  
  	tsize_t i=0;
! 	uint16 ri =0;
! 	uint16 v_samp=1;
! 	uint16 h_samp=1;
! 	int j=0;
! 	
! 	i++;
! 	
! 	while(i<(*striplength)){
  		switch( strip[i] ){
! 			case 0xd8:
! 				i+=2;
  				break;
! 			case 0xc0:
! 			case 0xc1:
! 			case 0xc3:
! 			case 0xc9:
! 			case 0xca:
  				if(no==0){
! 					_TIFFmemcpy(&(buffer[*bufferoffset]), &(strip[i-1]), strip[i+2]+2);
! 					for(j=0;j<buffer[*bufferoffset+9];j++){
! 						if( (buffer[*bufferoffset+11+(2*j)]>>4) > h_samp) 
! 							h_samp = (buffer[*bufferoffset+11+(2*j)]>>4);
! 						if( (buffer[*bufferoffset+11+(2*j)] & 0x0f) > v_samp) 
! 							v_samp = (buffer[*bufferoffset+11+(2*j)] & 0x0f);
  					}
  					v_samp*=8;
  					h_samp*=8;
--- 3257,3312 ----
  	uint32 height){
  
  	tsize_t i=0;
! 
! 	while (i < *striplength) {
! 		tsize_t datalen;
! 		uint16 ri;
! 		uint16 v_samp;
! 		uint16 h_samp;
! 		int j;
! 		int ncomp;
! 
! 		/* marker header: one or more FFs */
! 		if (strip[i] != 0xff)
! 			return(0);
! 		i++;
! 		while (i < *striplength && strip[i] == 0xff)
! 			i++;
! 		if (i >= *striplength)
! 			return(0);
! 		/* SOI is the only pre-SOS marker without a length word */
! 		if (strip[i] == 0xd8)
! 			datalen = 0;
! 		else {
! 			if ((*striplength - i) <= 2)
! 				return(0);
! 			datalen = (strip[i+1] << 8) | strip[i+2];
! 			if (datalen < 2 || datalen >= (*striplength - i))
! 				return(0);
! 		}
  		switch( strip[i] ){
! 			case 0xd8:	/* SOI - start of image */
! 				_TIFFmemcpy(&(buffer[*bufferoffset]), &(strip[i-1]), 2);
! 				*bufferoffset+=2;
  				break;
! 			case 0xc0:	/* SOF0 */
! 			case 0xc1:	/* SOF1 */
! 			case 0xc3:	/* SOF3 */
! 			case 0xc9:	/* SOF9 */
! 			case 0xca:	/* SOF10 */
  				if(no==0){
! 					_TIFFmemcpy(&(buffer[*bufferoffset]), &(strip[i-1]), datalen+2);
! 					ncomp = buffer[*bufferoffset+9];
! 					if (ncomp < 1 || ncomp > 4)
! 						return(0);
! 					v_samp=1;
! 					h_samp=1;
! 					for(j=0;j<ncomp;j++){
! 						uint16 samp = buffer[*bufferoffset+11+(3*j)];
! 						if( (samp>>4) > h_samp) 
! 							h_samp = (samp>>4);
! 						if( (samp & 0x0f) > v_samp) 
! 							v_samp = (samp & 0x0f);
  					}
  					v_samp*=8;
  					h_samp*=8;
***************
*** 3294,3338 ****
                                            (unsigned char) ((height>>8) & 0xff);
  					buffer[*bufferoffset+6]=
                                              (unsigned char) (height & 0xff);
! 					*bufferoffset+=strip[i+2]+2;
! 					i+=strip[i+2]+2;
! 
  					buffer[(*bufferoffset)++]=0xff;
  					buffer[(*bufferoffset)++]=0xdd;
  					buffer[(*bufferoffset)++]=0x00;
  					buffer[(*bufferoffset)++]=0x04;
  					buffer[(*bufferoffset)++]=(ri >> 8) & 0xff;
  					buffer[(*bufferoffset)++]= ri & 0xff;
- 				} else {
- 					i+=strip[i+2]+2;
  				}
  				break;
! 			case 0xc4:
! 			case 0xdb:
! 				_TIFFmemcpy(&(buffer[*bufferoffset]), &(strip[i-1]), strip[i+2]+2);
! 				*bufferoffset+=strip[i+2]+2;
! 				i+=strip[i+2]+2;
  				break;
! 			case 0xda:
  				if(no==0){
! 					_TIFFmemcpy(&(buffer[*bufferoffset]), &(strip[i-1]), strip[i+2]+2);
! 					*bufferoffset+=strip[i+2]+2;
! 					i+=strip[i+2]+2;
  				} else {
  					buffer[(*bufferoffset)++]=0xff;
  					buffer[(*bufferoffset)++]=
                                              (unsigned char)(0xd0 | ((no-1)%8));
- 					i+=strip[i+2]+2;
  				}
! 				_TIFFmemcpy(&(buffer[*bufferoffset]), &(strip[i-1]), (*striplength)-i-1);
! 				*bufferoffset+=(*striplength)-i-1;
  				return(1);
  			default:
! 				i+=strip[i+2]+2;
  		}
  	}
- 	
  
  	return(0);
  }
  #endif
--- 3320,3362 ----
                                            (unsigned char) ((height>>8) & 0xff);
  					buffer[*bufferoffset+6]=
                                              (unsigned char) (height & 0xff);
! 					*bufferoffset+=datalen+2;
! 					/* insert a DRI marker */
  					buffer[(*bufferoffset)++]=0xff;
  					buffer[(*bufferoffset)++]=0xdd;
  					buffer[(*bufferoffset)++]=0x00;
  					buffer[(*bufferoffset)++]=0x04;
  					buffer[(*bufferoffset)++]=(ri >> 8) & 0xff;
  					buffer[(*bufferoffset)++]= ri & 0xff;
  				}
  				break;
! 			case 0xc4: /* DHT */
! 			case 0xdb: /* DQT */
! 				_TIFFmemcpy(&(buffer[*bufferoffset]), &(strip[i-1]), datalen+2);
! 				*bufferoffset+=datalen+2;
  				break;
! 			case 0xda: /* SOS */
  				if(no==0){
! 					_TIFFmemcpy(&(buffer[*bufferoffset]), &(strip[i-1]), datalen+2);
! 					*bufferoffset+=datalen+2;
  				} else {
  					buffer[(*bufferoffset)++]=0xff;
  					buffer[(*bufferoffset)++]=
                                              (unsigned char)(0xd0 | ((no-1)%8));
  				}
! 				i += datalen + 1;
! 				/* copy remainder of strip */
! 				_TIFFmemcpy(&(buffer[*bufferoffset]), &(strip[i]), *striplength - i);
! 				*bufferoffset+= *striplength - i;
  				return(1);
  			default:
! 				/* ignore any other marker */
! 				break;
  		}
+ 		i += datalen + 1;
  	}
  
+ 	/* failed to find SOS marker */
  	return(0);
  }
  #endif
openSUSE Build Service is sponsored by
Places