← Back to branch summary

~ubuntu-branches/ubuntu/precise/tiff/precise-security

« back to all changes in this revision

Viewing changes to debian/patches/read_overrun.patch

  • Committer: Package Import Robot
  • Author(s): Marc Deslauriers
  • Date: 2015-03-30 08:11:18 UTC
  • Revision ID: package-import@ubuntu.com-20150330081118-bvaoaii1act27voq
Tags: 3.9.5-2ubuntu1.7
* SECURITY UPDATE: Fix multiple security issues
  - debian/patches/CVE-2014-81xx-1.patch to CVE-2014-81xx-11.patch
  - debian/patches/CVE-2014-8128-5.patch
  - debian/patches/CVE-2014-9655-1.patch to CVE-2014-9655-3.patch
  - debian/patches/read_overrun.patch
  - debian/patches/CVE-2014-8130.patch
  - CVE-2014-8127 (partially)
  - CVE-2014-8128
  - CVE-2014-8129
  - CVE-2014-8130
  - CVE-2014-9330
  - CVE-2014-9655

Show diffs side-by-side

added added

removed removed

Lines of Context:
debian/patches/read_overrun.patch
 
1
From 5ef99cbffd5d5042fbd11f5e36d1b602e58c578d Mon Sep 17 00:00:00 2001
 
2
From: erouault <erouault>
 
3
Date: Sun, 7 Dec 2014 22:33:06 +0000
 
4
Subject: [PATCH] tools/thumbnail.c, tools/tiffcrop.c: fix heap read over-run
 
5
 found with Valgrind and Address Sanitizer on test suite
 
6
 
 
7
---
 
8
 ChangeLog         | 5 +++++
 
9
 tools/thumbnail.c | 7 ++++++-
 
10
 tools/tiffcrop.c  | 9 +++++++--
 
11
 3 files changed, 18 insertions(+), 3 deletions(-)
 
12
 
 
13
Index: tiff-3.9.5/tools/thumbnail.c
 
14
===================================================================
 
15
--- tiff-3.9.5.orig/tools/thumbnail.c   2015-03-30 08:08:08.420065812 -0400
 
16
+++ tiff-3.9.5/tools/thumbnail.c        2015-03-30 08:08:08.416065777 -0400
 
17
@@ -590,12 +590,17 @@
 
18
     rowsize = TIFFScanlineSize(in);
 
19
     rastersize = sh * rowsize;
 
20
     fprintf(stderr, "rastersize=%u\n", (unsigned int)rastersize);
 
21
-    raster = (unsigned char*)_TIFFmalloc(rastersize);
 
22
+       /* +3 : add a few guard bytes since setrow() can read a bit */
 
23
+       /* outside buffer */
 
24
+    raster = (unsigned char*)_TIFFmalloc(rastersize+3);
 
25
     if (!raster) {
 
26
            TIFFError(TIFFFileName(in),
 
27
                      "Can't allocate space for raster buffer.");
 
28
            return 0;
 
29
     }
 
30
+    raster[rastersize] = 0;
 
31
+    raster[rastersize+1] = 0;
 
32
+    raster[rastersize+2] = 0;
 
33
     rp = raster;
 
34
     for (s = 0; s < ns; s++) {
 
35
        (void) TIFFReadEncodedStrip(in, s, rp, -1);
 
36
Index: tiff-3.9.5/tools/tiffcrop.c
 
37
===================================================================
 
38
--- tiff-3.9.5.orig/tools/tiffcrop.c    2015-03-30 08:08:08.420065812 -0400
 
39
+++ tiff-3.9.5/tools/tiffcrop.c 2015-03-30 08:08:08.420065812 -0400
 
40
@@ -5996,8 +5996,10 @@
 
41
     }
 
42
  
 
43
   read_buff = *read_ptr;
 
44
+  /* +3 : add a few guard bytes since reverseSamples16bits() can read a bit */
 
45
+  /* outside buffer */
 
46
   if (!read_buff)
 
47
-    read_buff = (unsigned char *)_TIFFmalloc(buffsize);
 
48
+    read_buff = (unsigned char *)_TIFFmalloc(buffsize+3);
 
49
   else
 
50
     {
 
51
     if (prev_readsize < buffsize)
 
52
@@ -6006,12 +6008,15 @@
 
53
       if (!new_buff)
 
54
         {
 
55
        free (read_buff);
 
56
-        read_buff = (unsigned char *)_TIFFmalloc(buffsize);
 
57
+        read_buff = (unsigned char *)_TIFFmalloc(buffsize+3);
 
58
         }
 
59
       else
 
60
         read_buff = new_buff;
 
61
       }
 
62
     }
 
63
+  read_buff[buffsize] = 0;
 
64
+  read_buff[buffsize+1] = 0;
 
65
+  read_buff[buffsize+2] = 0;
 
66
 
 
67
   if (!read_buff)
 
68
     {