diff options
Diffstat (limited to 'third_party/libtiff/0020-unreasonable-td-bitspersample.patch')
| -rw-r--r-- | third_party/libtiff/0020-unreasonable-td-bitspersample.patch | 22 |
1 files changed, 22 insertions, 0 deletions
diff --git a/third_party/libtiff/0020-unreasonable-td-bitspersample.patch b/third_party/libtiff/0020-unreasonable-td-bitspersample.patch new file mode 100644 index 0000000000..1ad5e34e3c --- /dev/null +++ b/third_party/libtiff/0020-unreasonable-td-bitspersample.patch @@ -0,0 +1,22 @@ +diff --git a/third_party/libtiff/tif_dirread.c b/third_party/libtiff/tif_dirread.c +index 0e3f8ccd4..e0403aef3 100644 +--- a/third_party/libtiff/tif_dirread.c ++++ b/third_party/libtiff/tif_dirread.c +@@ -3754,6 +3754,17 @@ TIFFReadDirectory(TIFF* tif) + fip ? fip->field_name : "unknown tagname"); + continue; + } ++ /* ColorMap or TransferFunction for high bit */ ++ /* depths do not make much sense and could be */ ++ /* used as a denial of service vector */ ++ if (tif->tif_dir.td_bitspersample > 24) ++ { ++ TIFFWarningExt(tif->tif_clientdata,module, ++ "Ignoring %s because BitsPerSample=%d>24", ++ fip ? fip->field_name : "unknown tagname", ++ tif->tif_dir.td_bitspersample); ++ continue; ++ } + countpersample=(1L<<tif->tif_dir.td_bitspersample); + if ((dp->tdir_tag==TIFFTAG_TRANSFERFUNCTION)&&(dp->tdir_count==(uint64)countpersample)) + { |