1
--- tiff-4.0.2.orig/tools/tiff2pdf.c
2
+++ tiff-4.0.2/tools/tiff2pdf.c
3
@@ -3340,33 +3340,56 @@ int t2p_process_jpeg_strip(
14
- while(i<(*striplength)){
16
+ while (i < *striplength) {
24
+ /* marker header: one or more FFs */
25
+ if (strip[i] != 0xff)
28
+ while (i < *striplength && strip[i] == 0xff)
30
+ if (i >= *striplength)
32
+ /* SOI is the only pre-SOS marker without a length word */
33
+ if (strip[i] == 0xd8)
36
+ if ((*striplength - i) <= 2)
38
+ datalen = (strip[i+1] << 8) | strip[i+2];
39
+ if (datalen < 2 || datalen >= (*striplength - i))
44
- /* SOI - start of image */
45
+ case 0xd8: /* SOI - start of image */
46
_TIFFmemcpy(&(buffer[*bufferoffset]), &(strip[i-1]), 2);
55
+ case 0xc0: /* SOF0 */
56
+ case 0xc1: /* SOF1 */
57
+ case 0xc3: /* SOF3 */
58
+ case 0xc9: /* SOF9 */
59
+ case 0xca: /* SOF10 */
61
- _TIFFmemcpy(&(buffer[*bufferoffset]), &(strip[i-1]), strip[i+2]+2);
62
- for(j=0;j<buffer[*bufferoffset+9];j++){
63
- if( (buffer[*bufferoffset+11+(2*j)]>>4) > h_samp)
64
- h_samp = (buffer[*bufferoffset+11+(2*j)]>>4);
65
- if( (buffer[*bufferoffset+11+(2*j)] & 0x0f) > v_samp)
66
- v_samp = (buffer[*bufferoffset+11+(2*j)] & 0x0f);
67
+ _TIFFmemcpy(&(buffer[*bufferoffset]), &(strip[i-1]), datalen+2);
68
+ ncomp = buffer[*bufferoffset+9];
69
+ if (ncomp < 1 || ncomp > 4)
73
+ for(j=0;j<ncomp;j++){
74
+ uint16 samp = buffer[*bufferoffset+11+(3*j)];
75
+ if( (samp>>4) > h_samp)
77
+ if( (samp & 0x0f) > v_samp)
78
+ v_samp = (samp & 0x0f);
82
@@ -3380,45 +3403,43 @@ int t2p_process_jpeg_strip(
83
(unsigned char) ((height>>8) & 0xff);
84
buffer[*bufferoffset+6]=
85
(unsigned char) (height & 0xff);
86
- *bufferoffset+=strip[i+2]+2;
89
+ *bufferoffset+=datalen+2;
90
+ /* insert a DRI marker */
91
buffer[(*bufferoffset)++]=0xff;
92
buffer[(*bufferoffset)++]=0xdd;
93
buffer[(*bufferoffset)++]=0x00;
94
buffer[(*bufferoffset)++]=0x04;
95
buffer[(*bufferoffset)++]=(ri >> 8) & 0xff;
96
buffer[(*bufferoffset)++]= ri & 0xff;
103
- _TIFFmemcpy(&(buffer[*bufferoffset]), &(strip[i-1]), strip[i+2]+2);
104
- *bufferoffset+=strip[i+2]+2;
106
+ case 0xc4: /* DHT */
107
+ case 0xdb: /* DQT */
108
+ _TIFFmemcpy(&(buffer[*bufferoffset]), &(strip[i-1]), datalen+2);
109
+ *bufferoffset+=datalen+2;
112
+ case 0xda: /* SOS */
114
- _TIFFmemcpy(&(buffer[*bufferoffset]), &(strip[i-1]), strip[i+2]+2);
115
- *bufferoffset+=strip[i+2]+2;
117
+ _TIFFmemcpy(&(buffer[*bufferoffset]), &(strip[i-1]), datalen+2);
118
+ *bufferoffset+=datalen+2;
120
buffer[(*bufferoffset)++]=0xff;
121
buffer[(*bufferoffset)++]=
122
(unsigned char)(0xd0 | ((no-1)%8));
125
- _TIFFmemcpy(&(buffer[*bufferoffset]), &(strip[i-1]), (*striplength)-i-1);
126
- *bufferoffset+=(*striplength)-i-1;
128
+ /* copy remainder of strip */
129
+ _TIFFmemcpy(&(buffer[*bufferoffset]), &(strip[i]), *striplength - i);
130
+ *bufferoffset+= *striplength - i;
134
+ /* ignore any other marker */
141
+ /* failed to find SOS marker */
added
removed
debian/patches/CVE-2013-1960.patch
