3
From 40a5955cbf0df62b1f9e9bd7d9657b0070725d19 Mon Sep 17 00:00:00 2001
4
From: erouault <erouault>
5
Date: Mon, 29 Dec 2014 12:09:11 +0000
6
Subject: [PATCH] * libtiff/tif_next.c: add new tests to check that we don't
7
read outside of the compressed input stream buffer.
9
* libtiff/tif_getimage.c: in OJPEG case, fix checks on strile width/height
11
ChangeLog | 9 +++++++++
12
libtiff/tif_getimage.c | 12 +++++++-----
13
libtiff/tif_next.c | 4 +++-
14
3 files changed, 19 insertions(+), 6 deletions(-)
16
Index: tiff-3.9.5/libtiff/tif_getimage.c
17
===================================================================
18
--- tiff-3.9.5.orig/libtiff/tif_getimage.c 2015-03-30 08:00:11.795924791 -0400
19
+++ tiff-3.9.5/libtiff/tif_getimage.c 2015-03-30 08:00:11.791924755 -0400
23
fromskew = (fromskew * 10) / 4;
24
- if ((h & 3) == 0 && (w & 1) == 0) {
25
+ if ((w & 3) == 0 && (h & 1) == 0) {
26
for (; h >= 2; h -= 2) {
30
/* XXX adjust fromskew */
49
fromskew = (fromskew * 4) / 2;
67
Index: tiff-3.9.5/libtiff/tif_next.c
68
===================================================================
69
--- tiff-3.9.5.orig/libtiff/tif_next.c 2015-03-30 08:00:11.795924791 -0400
70
+++ tiff-3.9.5/libtiff/tif_next.c 2015-03-30 08:00:52.444278078 -0400
72
bp = (unsigned char *)tif->tif_rawcp;
74
scanline = tif->tif_scanlinesize;
75
- for (row = buf; occ > 0; occ -= scanline, row += scanline) {
76
+ for (row = buf; cc > 0 && occ > 0; occ -= scanline, row += scanline) {
81
* The scanline has a literal span that begins at some
86
off = (bp[0] * 256) + bp[1];
87
n = (bp[2] * 256) + bp[3];
88
if (cc < 4+n || off+n > scanline)