← Back to branch summary

~ubuntu-branches/ubuntu/precise/tiff/precise-security 

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30

From 3206e0c752a62da1ae606867113ed3bf9bf73306 Mon Sep 17 00:00:00 2001
From: erouault <erouault>
Date: Sun, 21 Dec 2014 19:53:59 +0000
Subject: [PATCH] * tools/thumbnail.c: fix out-of-buffer write
 http://bugzilla.maptools.org/show_bug.cgi?id=2489 (CVE-2014-8128)

---
 ChangeLog         | 5 +++++
 tools/thumbnail.c | 8 +++++++-
 2 files changed, 12 insertions(+), 1 deletion(-)

Index: tiff-3.9.5/tools/thumbnail.c
===================================================================
--- tiff-3.9.5.orig/tools/thumbnail.c	2015-03-30 07:47:09.929107438 -0400
+++ tiff-3.9.5/tools/thumbnail.c	2015-03-30 07:47:09.929107438 -0400
@@ -548,7 +548,13 @@
 	    err -= limit;
 	    sy++;
 	    if (err >= limit)
-		rows[nrows++] = br + bpr*sy;
+		{
+			/* We should perhaps error loudly, but I can't make sense of that */
+			/* code... */
+			if( nrows == 256 )
+				break;
+			rows[nrows++] = br + bpr*sy;
+		}
 	}
 	setrow(row, nrows, rows);
 	row += tnw;