Package: tiff
Version: 3.8.2-11
Severity: normal
Tags: patch
User: [email protected]
Usertags: origin-ubuntu karmic ubuntu-patch

Hello!

The attached TIFF will crash libtiff, as investigated by the PSP hacking
community[1], the Ubuntu bug report[2], and upstream[3].

Attached patch seems to solve the underflow, but has not been regression
tested.

Thanks,

-Kees

[1] http://www.lan.st/showthread.php?t=1856&page=3
[2] https://bugs.edge.launchpad.net/bugs/380149
[3] http://bugzilla.maptools.org/show_bug.cgi?id=2065

-- 
Kees Cook                                            @debian.org
Description: fix underflow loop in LZWDecodeCompat
Author: Kees Cook <[email protected]>
Ubuntu: https://bugs.edge.launchpad.net/bugs/380149

--- tiff-3.8.2~/libtiff/tif_lzw.c	2009-06-21 16:10:05.000000000 -0700
+++ tiff-3.8.2/libtiff/tif_lzw.c	2009-06-21 16:09:38.000000000 -0700
@@ -670,6 +670,7 @@
 		}
 		oldcodep = codep;
 		if (code >= 256) {
+			char *op_orig = op;
 			/*
 		 	 * Code maps to a string, copy string
 			 * value to output (written in reverse).
@@ -704,7 +705,7 @@
 			tp = op;
 			do {
 				*--tp = codep->value;
-			} while( (codep = codep->next) != NULL);
+			} while( (codep = codep->next) != NULL && tp > op_orig);
 		} else
 			*op++ = code, occ--;
 	}

Reply via email to