Package: tiff Version: 3.8.2-11 Severity: normal Tags: patch User: [email protected] Usertags: origin-ubuntu karmic ubuntu-patch
Hello! The attached TIFF will crash libtiff, as investigated by the PSP hacking community[1], the Ubuntu bug report[2], and upstream[3]. Attached patch seems to solve the underflow, but has not been regression tested. Thanks, -Kees [1] http://www.lan.st/showthread.php?t=1856&page=3 [2] https://bugs.edge.launchpad.net/bugs/380149 [3] http://bugzilla.maptools.org/show_bug.cgi?id=2065 -- Kees Cook @debian.org
Description: fix underflow loop in LZWDecodeCompat Author: Kees Cook <[email protected]> Ubuntu: https://bugs.edge.launchpad.net/bugs/380149 --- tiff-3.8.2~/libtiff/tif_lzw.c 2009-06-21 16:10:05.000000000 -0700 +++ tiff-3.8.2/libtiff/tif_lzw.c 2009-06-21 16:09:38.000000000 -0700 @@ -670,6 +670,7 @@ } oldcodep = codep; if (code >= 256) { + char *op_orig = op; /* * Code maps to a string, copy string * value to output (written in reverse). @@ -704,7 +705,7 @@ tp = op; do { *--tp = codep->value; - } while( (codep = codep->next) != NULL); + } while( (codep = codep->next) != NULL && tp > op_orig); } else *op++ = code, occ--; }

