← Back to branch summary

~ubuntu-branches/ubuntu/precise/tiff/precise-security

« back to all changes in this revision

Viewing changes to libtiff/tif_next.c

  • Committer: Package Import Robot
  • Author(s): Marc Deslauriers
  • Date: 2015-03-30 08:11:18 UTC
  • Revision ID: package-import@ubuntu.com-20150330081118-bvaoaii1act27voq
Tags: 3.9.5-2ubuntu1.7
* SECURITY UPDATE: Fix multiple security issues
  - debian/patches/CVE-2014-81xx-1.patch to CVE-2014-81xx-11.patch
  - debian/patches/CVE-2014-8128-5.patch
  - debian/patches/CVE-2014-9655-1.patch to CVE-2014-9655-3.patch
  - debian/patches/read_overrun.patch
  - debian/patches/CVE-2014-8130.patch
  - CVE-2014-8127 (partially)
  - CVE-2014-8128
  - CVE-2014-8129
  - CVE-2014-8130
  - CVE-2014-9330
  - CVE-2014-9655

Show diffs side-by-side

added added

removed removed

Lines of Context:
libtiff/tif_next.c
65
65
        bp = (unsigned char *)tif->tif_rawcp;
66
66
        cc = tif->tif_rawcc;
67
67
        scanline = tif->tif_scanlinesize;
68
 
        for (row = buf; occ > 0; occ -= scanline, row += scanline) {
 
68
        for (row = buf; cc > 0 && occ > 0; occ -= scanline, row += scanline) {
69
69
                n = *bp++, cc--;
70
70
                switch (n) {
71
71
                case LITERALROW:
84
84
                         * The scanline has a literal span that begins at some
85
85
                         * offset.
86
86
                         */
 
87
                        if( cc < 4 )
 
88
                                goto bad;
87
89
                        off = (bp[0] * 256) + bp[1];
88
90
                        n = (bp[2] * 256) + bp[3];
89
91
                        if (cc < 4+n || off+n > scanline)
96
98
                default: {
97
99
                        uint32 npixels = 0, grey;
98
100
                        uint32 imagewidth = tif->tif_dir.td_imagewidth;
 
101
            if( isTiled(tif) )
 
102
                imagewidth = tif->tif_dir.td_tilewidth;
99
103
 
100
104
                        /*
101
105
                         * The scanline is composed of a sequence of constant
133
137
        return (0);
134
138
}
135
139
 
 
140
static int
 
141
NeXTPreDecode(TIFF* tif, uint16 s)
 
142
{
 
143
        static const char module[] = "NeXTPreDecode";
 
144
        TIFFDirectory *td = &tif->tif_dir;
 
145
        (void)s;
 
146
 
 
147
        if( td->td_bitspersample != 2 )
 
148
        {
 
149
                TIFFErrorExt(tif->tif_clientdata, module, "Unsupported BitsPerSample = %d",
 
150
                                         td->td_bitspersample);
 
151
                return (0);
 
152
        }
 
153
        return (1);
 
154
}
 
155
 
136
156
int
137
157
TIFFInitNeXT(TIFF* tif, int scheme)
138
158
{
139
159
        (void) scheme;
 
160
        tif->tif_predecode = NeXTPreDecode;
140
161
        tif->tif_decoderow = NeXTDecode;
141
162
        tif->tif_decodestrip = NeXTDecode;
142
163
        tif->tif_decodetile = NeXTDecode;