← Back to branch summary

~ubuntu-branches/ubuntu/precise/tiff/precise-security

« back to all changes in this revision

Viewing changes to debian/patches/CVE-2014-9655-2.patch

  • Committer: Package Import Robot
  • Author(s): Marc Deslauriers
  • Date: 2015-03-30 08:11:18 UTC
  • Revision ID: package-import@ubuntu.com-20150330081118-bvaoaii1act27voq
Tags: 3.9.5-2ubuntu1.7
* SECURITY UPDATE: Fix multiple security issues
  - debian/patches/CVE-2014-81xx-1.patch to CVE-2014-81xx-11.patch
  - debian/patches/CVE-2014-8128-5.patch
  - debian/patches/CVE-2014-9655-1.patch to CVE-2014-9655-3.patch
  - debian/patches/read_overrun.patch
  - debian/patches/CVE-2014-8130.patch
  - CVE-2014-8127 (partially)
  - CVE-2014-8128
  - CVE-2014-8129
  - CVE-2014-8130
  - CVE-2014-9330
  - CVE-2014-9655

Show diffs side-by-side

added added

removed removed

Lines of Context:
debian/patches/CVE-2014-9655-2.patch
 
1
Backport of:
 
2
 
 
3
From 40a5955cbf0df62b1f9e9bd7d9657b0070725d19 Mon Sep 17 00:00:00 2001
 
4
From: erouault <erouault>
 
5
Date: Mon, 29 Dec 2014 12:09:11 +0000
 
6
Subject: [PATCH] * libtiff/tif_next.c: add new tests to check that we don't
 
7
 read outside of the compressed input stream buffer.
 
8
 
 
9
* libtiff/tif_getimage.c: in OJPEG case, fix checks on strile width/height
 
10
---
 
11
 ChangeLog              |  9 +++++++++
 
12
 libtiff/tif_getimage.c | 12 +++++++-----
 
13
 libtiff/tif_next.c     |  4 +++-
 
14
 3 files changed, 19 insertions(+), 6 deletions(-)
 
15
 
 
16
Index: tiff-3.9.5/libtiff/tif_getimage.c
 
17
===================================================================
 
18
--- tiff-3.9.5.orig/libtiff/tif_getimage.c      2015-03-30 08:00:11.795924791 -0400
 
19
+++ tiff-3.9.5/libtiff/tif_getimage.c   2015-03-30 08:00:11.791924755 -0400
 
20
@@ -1759,7 +1759,7 @@
 
21
 
 
22
     (void) y;
 
23
     fromskew = (fromskew * 10) / 4;
 
24
-    if ((h & 3) == 0 && (w & 1) == 0) {
 
25
+    if ((w & 3) == 0 && (h & 1) == 0) {
 
26
         for (; h >= 2; h -= 2) {
 
27
             x = w>>2;
 
28
             do {
 
29
@@ -1836,7 +1836,7 @@
 
30
     /* XXX adjust fromskew */
 
31
     do {
 
32
        x = w>>2;
 
33
-       do {
 
34
+       while(x>0) {
 
35
            int32 Cb = pp[4];
 
36
            int32 Cr = pp[5];
 
37
 
 
38
@@ -1847,7 +1847,8 @@
 
39
 
 
40
            cp += 4;
 
41
            pp += 6;
 
42
-       } while (--x);
 
43
+               x--;
 
44
+       }
 
45
 
 
46
         if( (w&3) != 0 )
 
47
         {
 
48
@@ -1938,7 +1939,7 @@
 
49
        fromskew = (fromskew * 4) / 2;
 
50
        do {
 
51
                x = w>>1;
 
52
-               do {
 
53
+               while(x>0) {
 
54
                        int32 Cb = pp[2];
 
55
                        int32 Cr = pp[3];
 
56
 
 
57
@@ -1947,7 +1948,8 @@
 
58
 
 
59
                        cp += 2;
 
60
                        pp += 4;
 
61
-               } while (--x);
 
62
+                       x --;
 
63
+               }
 
64
 
 
65
                if( (w&1) != 0 )
 
66
                {
 
67
Index: tiff-3.9.5/libtiff/tif_next.c
 
68
===================================================================
 
69
--- tiff-3.9.5.orig/libtiff/tif_next.c  2015-03-30 08:00:11.795924791 -0400
 
70
+++ tiff-3.9.5/libtiff/tif_next.c       2015-03-30 08:00:52.444278078 -0400
 
71
@@ -65,7 +65,7 @@
 
72
        bp = (unsigned char *)tif->tif_rawcp;
 
73
        cc = tif->tif_rawcc;
 
74
        scanline = tif->tif_scanlinesize;
 
75
-       for (row = buf; occ > 0; occ -= scanline, row += scanline) {
 
76
+       for (row = buf; cc > 0 && occ > 0; occ -= scanline, row += scanline) {
 
77
                n = *bp++, cc--;
 
78
                switch (n) {
 
79
                case LITERALROW:
 
80
@@ -84,6 +84,8 @@
 
81
                         * The scanline has a literal span that begins at some
 
82
                         * offset.
 
83
                         */
 
84
+                       if( cc < 4 )
 
85
+                               goto bad;
 
86
                        off = (bp[0] * 256) + bp[1];
 
87
                        n = (bp[2] * 256) + bp[3];
 
88
                        if (cc < 4+n || off+n > scanline)