diff options
Diffstat (limited to 'graphics/tiff/files/patch-tif_read.c')
-rw-r--r-- | graphics/tiff/files/patch-tif_read.c | 43 |
1 files changed, 0 insertions, 43 deletions
diff --git a/graphics/tiff/files/patch-tif_read.c b/graphics/tiff/files/patch-tif_read.c deleted file mode 100644 index 67c18ccb5b94..000000000000 --- a/graphics/tiff/files/patch-tif_read.c +++ /dev/null @@ -1,43 +0,0 @@ -CVE-2006-3464,3465 -=================================================================== ---- libtiff/tif_read.c.orig 2008-08-17 13:03:48.990994211 -0400 -+++ libtiff/tif_read.c 2008-08-17 13:03:52.898026507 -0400 -@@ -31,6 +31,8 @@ - #include "tiffiop.h" - #include <stdio.h> - -+#include <limits.h> -+ - int TIFFFillStrip(TIFF*, tstrip_t); - int TIFFFillTile(TIFF*, ttile_t); - static int TIFFStartStrip(TIFF*, tstrip_t); -@@ -272,7 +274,13 @@ - if ((tif->tif_flags & TIFF_MYBUFFER) && tif->tif_rawdata) - _TIFFfree(tif->tif_rawdata); - tif->tif_flags &= ~TIFF_MYBUFFER; -- if ( td->td_stripoffset[strip] + bytecount > tif->tif_size) { -+ /* -+ * This sanity check could potentially overflow, causing an OOB read. -+ * verify that offset + bytecount is > offset. -+ * -- taviso@google.com 14 Jun 2006 -+ */ -+ if ( td->td_stripoffset[strip] + bytecount > tif->tif_size || -+ bytecount > (UINT_MAX - td->td_stripoffset[strip])) { - /* - * This error message might seem strange, but it's - * what would happen if a read were done instead. -@@ -470,7 +478,13 @@ - if ((tif->tif_flags & TIFF_MYBUFFER) && tif->tif_rawdata) - _TIFFfree(tif->tif_rawdata); - tif->tif_flags &= ~TIFF_MYBUFFER; -- if ( td->td_stripoffset[tile] + bytecount > tif->tif_size) { -+ /* -+ * We must check this calculation doesnt overflow, potentially -+ * causing an OOB read. -+ * -- taviso@google.com 15 Jun 2006 -+ */ -+ if (td->td_stripoffset[tile] + bytecount > tif->tif_size || -+ bytecount > (UINT_MAX - td->td_stripoffset[tile])) { - tif->tif_curtile = NOTILE; - return (0); - } |