Go to:
Gentoo Home
Documentation
Forums
Lists
Bugs
Planet
Store
Wiki
Get Gentoo!
Gentoo's Bugzilla – Attachment 86492 Details for
Bug 129675
media-libs/tiff: <3.8.1 several vulns: DoS, int. overflow, double-free vuln (CVE-2006-202[456], CVE-2006-2120)
Home
|
New
–
[Ex]
|
Browse
|
Search
|
Privacy Policy
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
patch 3.7.3 (not verified)
tiff-3.7.3-bug129675.patch (text/plain), 6.40 KB, created by
Raphael Marichez (Falco) (RETIRED)
on 2006-05-09 10:15:47 UTC
(
hide
)
Description:
patch 3.7.3 (not verified)
Filename:
MIME Type:
Creator:
Raphael Marichez (Falco) (RETIRED)
Created:
2006-05-09 10:15:47 UTC
Size:
6.40 KB
patch
obsolete
>diff -uNr -r tiff-3.7.3-orig/libtiff/tif_color.c tiff-3.7.3/libtiff/tif_color.c >--- tiff-3.7.3-orig/libtiff/tif_color.c 2005-07-05 18:38:08.000000000 +0200 >+++ tiff-3.7.3/libtiff/tif_color.c 2006-05-09 19:16:08.799819750 +0200 >@@ -92,6 +92,11 @@ > Yg = TIFFmax(Yg, cielab->display.d_Y0G); > Yb = TIFFmax(Yb, cielab->display.d_Y0B); > >+ /* Avoid overflow in case of wrong input values */ >+ Yr = TIFFmin(Yr, cielab->display.d_YCR); >+ Yg = TIFFmin(Yg, cielab->display.d_YCG); >+ Yb = TIFFmin(Yb, cielab->display.d_YCB); >+ > /* Turn luminosity to colour value. */ > i = (int)((Yr - cielab->display.d_Y0R) / cielab->rstep); > i = TIFFmin(cielab->range, i); >diff -uNr -r tiff-3.7.3-orig/libtiff/tif_dirread.c tiff-3.7.3/libtiff/tif_dirread.c >--- tiff-3.7.3-orig/libtiff/tif_dirread.c 2005-05-24 20:55:20.000000000 +0200 >+++ tiff-3.7.3/libtiff/tif_dirread.c 2006-05-09 19:16:08.799819750 +0200 >@@ -798,13 +798,20 @@ > int w = TIFFDataWidth((TIFFDataType) dir->tdir_type); > tsize_t cc = dir->tdir_count * w; > >+ /* Check for overflow. */ >+ if (!dir->tdir_count || !w || cc / w != (tsize_t)dir->tdir_count) >+ goto bad; >+ > if (!isMapped(tif)) { > if (!SeekOK(tif, dir->tdir_offset)) > goto bad; > if (!ReadOK(tif, cp, cc)) > goto bad; > } else { >- if (dir->tdir_offset + cc > tif->tif_size) >+ /* Check for overflow. */ >+ if ((tsize_t)dir->tdir_offset + cc < (tsize_t)dir->tdir_offset >+ || (tsize_t)dir->tdir_offset + cc < cc >+ || (tsize_t)dir->tdir_offset + cc > (tsize_t)tif->tif_size) > goto bad; > _TIFFmemcpy(cp, tif->tif_base + dir->tdir_offset, cc); > } >diff -uNr -r tiff-3.7.3-orig/libtiff/tif_fax3.c tiff-3.7.3/libtiff/tif_fax3.c >--- tiff-3.7.3-orig/libtiff/tif_fax3.c 2005-03-06 11:51:36.000000000 +0100 >+++ tiff-3.7.3/libtiff/tif_fax3.c 2006-05-09 19:16:08.799819750 +0200 >@@ -1074,6 +1074,10 @@ > if (tif->tif_data) { > Fax3CodecState* sp = DecoderState(tif); > >+ assert (sp != 0); >+ tif->tif_tagmethods.vgetfield = sp->b.vgetparent; >+ tif->tif_tagmethods.vsetfield = sp->b.vsetparent; >+ > if (sp->runs) > _TIFFfree(sp->runs); > if (sp->refline) >@@ -1134,6 +1138,8 @@ > Fax3VSetField(TIFF* tif, ttag_t tag, va_list ap) > { > Fax3BaseState* sp = Fax3State(tif); >+ assert (sp != 0); >+ assert (sp->vsetparent != 0); > > switch (tag) { > case TIFFTAG_FAXMODE: >diff -uNr -r tiff-3.7.3-orig/libtiff/tif_jpeg.c tiff-3.7.3/libtiff/tif_jpeg.c >--- tiff-3.7.3-orig/libtiff/tif_jpeg.c 2005-06-01 19:15:14.000000000 +0200 >+++ tiff-3.7.3/libtiff/tif_jpeg.c 2006-05-09 19:16:08.799819750 +0200 >@@ -1500,15 +1500,18 @@ > static void > JPEGCleanup(TIFF* tif) > { >- if (tif->tif_data) { > JPEGState *sp = JState(tif); >+ >+ assert (sp != 0); >+ tif->tif_tagmethods.vgetfield = sp->vgetparent; >+ tif->tif_tagmethods.vsetfield = sp->vsetparent; >+ > if( sp->cinfo_initialized ) > TIFFjpeg_destroy(sp); /* release libjpeg resources */ > if (sp->jpegtables) /* tag value */ > _TIFFfree(sp->jpegtables); > _TIFFfree(tif->tif_data); /* release local state */ > tif->tif_data = NULL; >- } > } > > static int >diff -uNr -r tiff-3.7.3-orig/libtiff/tif_lzw.c tiff-3.7.3/libtiff/tif_lzw.c >--- tiff-3.7.3-orig/libtiff/tif_lzw.c 2004-10-02 15:52:29.000000000 +0200 >+++ tiff-3.7.3/libtiff/tif_lzw.c 2006-05-09 19:16:08.799819750 +0200 >@@ -1002,6 +1002,8 @@ > static void > LZWCleanup(TIFF* tif) > { >+ (void)TIFFPredictorCleanup(tif); >+ > if (tif->tif_data) { > if (DecoderState(tif)->dec_codetab) > _TIFFfree(DecoderState(tif)->dec_codetab); >diff -uNr -r tiff-3.7.3-orig/libtiff/tif_pixarlog.c tiff-3.7.3/libtiff/tif_pixarlog.c >--- tiff-3.7.3-orig/libtiff/tif_pixarlog.c 2005-01-15 18:20:58.000000000 +0100 >+++ tiff-3.7.3/libtiff/tif_pixarlog.c 2006-05-09 19:16:08.803820000 +0200 >@@ -1163,7 +1163,13 @@ > { > PixarLogState* sp = (PixarLogState*) tif->tif_data; > >- if (sp) { >+ assert(sp != 0); >+ >+ (void)TIFFPredictorCleanup(tif); >+ >+ tif->tif_tagmethods.vgetfield = sp->vgetparent; >+ tif->tif_tagmethods.vsetfield = sp->vsetparent; >+ > if (sp->FromLT2) _TIFFfree(sp->FromLT2); > if (sp->From14) _TIFFfree(sp->From14); > if (sp->From8) _TIFFfree(sp->From8); >@@ -1180,7 +1186,6 @@ > _TIFFfree(sp->tbuf); > _TIFFfree(sp); > tif->tif_data = NULL; >- } > } > > static int >diff -uNr -r tiff-3.7.3-orig/libtiff/tif_predict.c tiff-3.7.3/libtiff/tif_predict.c >--- tiff-3.7.3-orig/libtiff/tif_predict.c 2005-06-05 18:13:15.000000000 +0200 >+++ tiff-3.7.3/libtiff/tif_predict.c 2006-05-09 19:16:08.803820000 +0200 >@@ -519,6 +519,9 @@ > { > TIFFPredictorState *sp = PredictorState(tif); > >+ assert(sp != NULL); >+ assert(sp->vsetparent != NULL); >+ > switch (tag) { > case TIFFTAG_PREDICTOR: > sp->predictor = (uint16) va_arg(ap, int); >@@ -536,6 +539,9 @@ > { > TIFFPredictorState *sp = PredictorState(tif); > >+ assert(sp != NULL); >+ assert(sp->vgetparent != NULL); >+ > switch (tag) { > case TIFFTAG_PREDICTOR: > *va_arg(ap, uint16*) = sp->predictor; >@@ -569,6 +575,8 @@ > TIFFPredictorInit(TIFF* tif) > { > TIFFPredictorState* sp = PredictorState(tif); >+ >+ assert(sp != NULL); > > /* > * Merge codec-specific tag information and >@@ -595,4 +603,20 @@ > return 1; > } > >+int >+TIFFPredictorCleanup(TIFF* tif) >+{ >+ TIFFPredictorState* sp = PredictorState(tif); >+ >+ assert(sp != 0); >+ >+ tif->tif_tagmethods.vgetfield = sp->vgetparent; >+ tif->tif_tagmethods.vsetfield = sp->vsetparent; >+ tif->tif_tagmethods.printdir = sp->printdir; >+ tif->tif_setupdecode = sp->setupdecode; >+ tif->tif_setupencode = sp->setupencode; >+ >+ return 1; >+} >+ > /* vim: set ts=8 sts=8 sw=8 noet: */ >diff -uNr -r tiff-3.7.3-orig/libtiff/tif_predict.h tiff-3.7.3/libtiff/tif_predict.h >--- tiff-3.7.3-orig/libtiff/tif_predict.h 2005-04-15 19:13:34.000000000 +0200 >+++ tiff-3.7.3/libtiff/tif_predict.h 2006-05-09 19:16:08.803820000 +0200 >@@ -55,6 +55,7 @@ > extern "C" { > #endif > extern int TIFFPredictorInit(TIFF*); >+extern int TIFFPredictorCleanup(TIFF*); > #if defined(__cplusplus) > } > #endif >diff -uNr -r tiff-3.7.3-orig/libtiff/tif_zip.c tiff-3.7.3/libtiff/tif_zip.c >--- tiff-3.7.3-orig/libtiff/tif_zip.c 2004-10-02 15:52:29.000000000 +0200 >+++ tiff-3.7.3/libtiff/tif_zip.c 2006-05-09 19:16:08.803820000 +0200 >@@ -249,7 +249,14 @@ > ZIPCleanup(TIFF* tif) > { > ZIPState* sp = ZState(tif); >- if (sp) { >+ >+ assert(sp != 0); >+ >+ (void)TIFFPredictorCleanup(tif); >+ >+ tif->tif_tagmethods.vgetfield = sp->vgetparent; >+ tif->tif_tagmethods.vsetfield = sp->vsetparent; >+ > if (sp->state&ZSTATE_INIT) { > /* NB: avoid problems in the library */ > if (tif->tif_mode == O_RDONLY) >@@ -259,7 +266,6 @@ > } > _TIFFfree(sp); > tif->tif_data = NULL; >- } > } > > static int
You cannot view the attachment while viewing its details because your browser does not support IFRAMEs.
View the attachment on a separate page
.
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 129675
:
86490
| 86492