On Fri, Mar 28, 2014 at 06:38:07PM -0400, Michael Gilbert wrote:
> package: src:tiff
> version: 3.9.4-5
> severity: important
>
> This issue is currently unfixed in the tiff packages:
> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4243
This wasn't fixed in DSA 2744 since no patch was available back then.
Since then Red Hat has used the attached patch in security update
for RHEL.
Cheers,
Moritz
diff --git a/tools/gif2tiff.c b/tools/gif2tiff.c
index 2786974..9262573 100644
--- a/tools/gif2tiff.c
+++ b/tools/gif2tiff.c
@@ -276,6 +276,10 @@ readgifimage(char* mode)
fprintf(stderr, "no colormap present for image\n");
return (0);
}
+ if (width == 0 || height == 0) {
+ fprintf(stderr, "Invalid value of width or height\n");
+ return(0);
+ }
if ((raster = (unsigned char*) _TIFFmalloc(width*height+EXTRAFUDGE)) == NULL) {
fprintf(stderr, "not enough memory for image\n");
return (0);
@@ -402,6 +406,10 @@ process(register int code, unsigned char** fill)
fprintf(stderr, "bad input: code=%d is larger than clear=%d\n",code, clear);
return 0;
}
+ if (*fill >= raster + width*height) {
+ fprintf(stderr, "raster full before eoi code\n");
+ return 0;
+ }
*(*fill)++ = suffix[code];
firstchar = oldcode = code;
return 1;
@@ -432,6 +440,10 @@ process(register int code, unsigned char** fill)
}
oldcode = incode;
do {
+ if (*fill >= raster + width*height) {
+ fprintf(stderr, "raster full before eoi code\n");
+ return 0;
+ }
*(*fill)++ = *--stackp;
} while (stackp > stack);
return 1;
