← Back to branch summary

~ubuntu-branches/ubuntu/precise/tiff/precise-security

« back to all changes in this revision

Viewing changes to debian/patches/CVE-2014-81xx-10.patch

  • Committer: Package Import Robot
  • Author(s): Marc Deslauriers
  • Date: 2015-03-30 08:11:18 UTC
  • Revision ID: package-import@ubuntu.com-20150330081118-bvaoaii1act27voq
Tags: 3.9.5-2ubuntu1.7
* SECURITY UPDATE: Fix multiple security issues
  - debian/patches/CVE-2014-81xx-1.patch to CVE-2014-81xx-11.patch
  - debian/patches/CVE-2014-8128-5.patch
  - debian/patches/CVE-2014-9655-1.patch to CVE-2014-9655-3.patch
  - debian/patches/read_overrun.patch
  - debian/patches/CVE-2014-8130.patch
  - CVE-2014-8127 (partially)
  - CVE-2014-8128
  - CVE-2014-8129
  - CVE-2014-8130
  - CVE-2014-9330
  - CVE-2014-9655

Show diffs side-by-side

added added

removed removed

Lines of Context:
debian/patches/CVE-2014-81xx-10.patch
 
1
From 1f7359b00663804d96c3a102bcb6ead9812c1509 Mon Sep 17 00:00:00 2001
 
2
From: erouault <erouault>
 
3
Date: Tue, 23 Dec 2014 10:15:35 +0000
 
4
Subject: [PATCH] * libtiff/tif_read.c: fix several invalid comparisons of a
 
5
 uint64 value with <= 0 by casting it to int64 first. This solves crashing bug
 
6
 on corrupted images generated by afl.
 
7
 
 
8
---
 
9
 ChangeLog          | 6 ++++++
 
10
 libtiff/tif_read.c | 6 +++---
 
11
 2 files changed, 9 insertions(+), 3 deletions(-)
 
12
 
 
13
Index: tiff-3.9.5/libtiff/tif_read.c
 
14
===================================================================
 
15
--- tiff-3.9.5.orig/libtiff/tif_read.c  2015-03-30 07:50:30.550858302 -0400
 
16
+++ tiff-3.9.5/libtiff/tif_read.c       2015-03-30 07:51:56.627609221 -0400
 
17
@@ -243,7 +243,7 @@
 
18
                return ((tsize_t) -1);
 
19
        }
 
20
        bytecount = td->td_stripbytecount[strip];
 
21
-       if (bytecount <= 0) {
 
22
+       if ((int64)bytecount <= 0) {
 
23
                TIFFErrorExt(tif->tif_clientdata, tif->tif_name,
 
24
                    "%lu: Invalid strip byte count, strip %lu",
 
25
                    (unsigned long) bytecount, (unsigned long) strip);
 
26
@@ -273,7 +273,7 @@
 
27
                 * So we are using uint32 instead of tsize_t here.
 
28
                 */
 
29
                uint32 bytecount = td->td_stripbytecount[strip];
 
30
-               if (bytecount <= 0) {
 
31
+               if ((int64)bytecount <= 0) {
 
32
                        TIFFErrorExt(tif->tif_clientdata, module,
 
33
                            "%s: Invalid strip byte count %lu, strip %lu",
 
34
                            tif->tif_name, (unsigned long) bytecount,
 
35
@@ -508,7 +508,7 @@
 
36
                 * So we are using uint32 instead of tsize_t here.
 
37
                 */
 
38
                uint32 bytecount = td->td_stripbytecount[tile];
 
39
-               if (bytecount <= 0) {
 
40
+               if ((int64)bytecount <= 0) {
 
41
                        TIFFErrorExt(tif->tif_clientdata, tif->tif_name,
 
42
                            "%lu: Invalid tile byte count, tile %lu",
 
43
                            (unsigned long) bytecount, (unsigned long) tile);