summaryrefslogtreecommitdiff
path: root/third_party/libtiff/0004-CVE-2015-8784.patch
diff options
context:
space:
mode:
Diffstat (limited to 'third_party/libtiff/0004-CVE-2015-8784.patch')
-rw-r--r--third_party/libtiff/0004-CVE-2015-8784.patch50
1 files changed, 0 insertions, 50 deletions
diff --git a/third_party/libtiff/0004-CVE-2015-8784.patch b/third_party/libtiff/0004-CVE-2015-8784.patch
deleted file mode 100644
index e4415de6c1..0000000000
--- a/third_party/libtiff/0004-CVE-2015-8784.patch
+++ /dev/null
@@ -1,50 +0,0 @@
-From b18012dae552f85dcc5c57d3bf4e997a15b1cc1c Mon Sep 17 00:00:00 2001
-From: erouault <erouault>
-Date: Sun, 27 Dec 2015 16:55:20 +0000
-Subject: [PATCH] * libtiff/tif_next.c: fix potential out-of-bound write in
- NeXTDecode() triggered by http://lcamtuf.coredump.cx/afl/vulns/libtiff5.tif
- (bugzilla #2508)
-
----
- ChangeLog | 6 ++++++
- libtiff/tif_next.c | 10 ++++++++--
- 2 files changed, 14 insertions(+), 2 deletions(-)
-
-diff --git a/libtiff/tif_next.c b/libtiff/tif_next.c
-index dd669cc..0a5b635 100644
---- a/libtiff/tif_next.c
-+++ b/libtiff/tif_next.c
-@@ -37,7 +37,7 @@
- case 0: op[0] = (unsigned char) ((v) << 6); break; \
- case 1: op[0] |= (v) << 4; break; \
- case 2: op[0] |= (v) << 2; break; \
-- case 3: *op++ |= (v); break; \
-+ case 3: *op++ |= (v); op_offset++; break; \
- } \
- }
-
-@@ -106,6 +106,7 @@ NeXTDecode(TIFF* tif, uint8* buf, tmsize_t occ, uint16 s)
- uint32 imagewidth = tif->tif_dir.td_imagewidth;
- if( isTiled(tif) )
- imagewidth = tif->tif_dir.td_tilewidth;
-+ tmsize_t op_offset = 0;
-
- /*
- * The scanline is composed of a sequence of constant
-@@ -122,10 +123,15 @@ NeXTDecode(TIFF* tif, uint8* buf, tmsize_t occ, uint16 s)
- * bounds, potentially resulting in a security
- * issue.
- */
-- while (n-- > 0 && npixels < imagewidth)
-+ while (n-- > 0 && npixels < imagewidth && op_offset < scanline)
- SETPIXEL(op, grey);
- if (npixels >= imagewidth)
- break;
-+ if (op_offset >= scanline ) {
-+ TIFFErrorExt(tif->tif_clientdata, module, "Invalid data for scanline %ld",
-+ (long) tif->tif_row);
-+ return (0);
-+ }
- if (cc == 0)
- goto bad;
- n = *bp++, cc--;