File erouault.2876.patch of Package tiff.openSUSE_13.2_Update
---------------------
PatchSet 2876
Date: 2014/12/29 14:09:11
Author: erouault
Branch: HEAD
Tag: (none)
Log:
* libtiff/tif_next.c: add new tests to check that we don't read outside of
the compressed input stream buffer.
* libtiff/tif_getimage.c: in OJPEG case, fix checks on strile width/height
Members:
ChangeLog:1.980->1.981
libtiff/tif_getimage.c:1.85->1.86
libtiff/tif_next.c:1.15->1.16
Index: libtiff/libtiff/tif_getimage.c
diff -u libtiff/libtiff/tif_getimage.c:1.85 libtiff/libtiff/tif_getimage.c:1.86
--- libtiff/libtiff/tif_getimage.c:1.85 Thu Dec 25 13:29:11 2014
+++ libtiff/libtiff/tif_getimage.c Mon Dec 29 07:09:11 2014
@@ -1871,7 +1871,7 @@
(void) y;
fromskew = (fromskew * 10) / 4;
- if ((h & 3) == 0 && (w & 1) == 0) {
+ if ((w & 3) == 0 && (h & 1) == 0) {
for (; h >= 2; h -= 2) {
x = w>>2;
do {
@@ -1948,7 +1948,7 @@
/* XXX adjust fromskew */
do {
x = w>>2;
- do {
+ while(x>0) {
int32 Cb = pp[4];
int32 Cr = pp[5];
@@ -1959,7 +1959,8 @@
cp += 4;
pp += 6;
- } while (--x);
+ x--;
+ }
if( (w&3) != 0 )
{
@@ -2050,7 +2051,7 @@
fromskew = (fromskew * 4) / 2;
do {
x = w>>1;
- do {
+ while(x>0) {
int32 Cb = pp[2];
int32 Cr = pp[3];
@@ -2059,7 +2060,8 @@
cp += 2;
pp += 4;
- } while (--x);
+ x --;
+ }
if( (w&1) != 0 )
{
Index: libtiff/libtiff/tif_next.c
diff -u libtiff/libtiff/tif_next.c:1.15 libtiff/libtiff/tif_next.c:1.16
--- libtiff/libtiff/tif_next.c:1.15 Sun Dec 21 13:07:48 2014
+++ libtiff/libtiff/tif_next.c Mon Dec 29 07:09:11 2014
@@ -71,7 +71,7 @@
TIFFErrorExt(tif->tif_clientdata, module, "Fractional scanlines cannot be read");
return (0);
}
- for (row = buf; occ > 0; occ -= scanline, row += scanline) {
+ for (row = buf; cc > 0 && occ > 0; occ -= scanline, row += scanline) {
n = *bp++, cc--;
switch (n) {
case LITERALROW:
@@ -90,6 +90,8 @@
* The scanline has a literal span that begins at some
* offset.
*/
+ if( cc < 4 )
+ goto bad;
off = (bp[0] * 256) + bp[1];
n = (bp[2] * 256) + bp[3];
if (cc < 4+n || off+n > scanline)
