SOURCES: libtiff-lzw-bugs.patch (NEW) - fix LZW decoding vulnerabilities (C...

Fri, 05 Sep 2008 06:52:32 -0700 

Author: draenog                      Date: Fri Sep  5 13:57:11 2008 GMT
Module: SOURCES                       Tag: HEAD
---- Log message:
- fix LZW decoding vulnerabilities (CVE-2008-2327); taken from Fedora

---- Files affected:
SOURCES:
   libtiff-lzw-bugs.patch (NONE -> 1.1)  (NEW)

---- Diffs:

================================================================
Index: SOURCES/libtiff-lzw-bugs.patch
diff -u /dev/null SOURCES/libtiff-lzw-bugs.patch:1.1
--- /dev/null   Fri Sep  5 15:57:11 2008
+++ SOURCES/libtiff-lzw-bugs.patch      Fri Sep  5 15:57:05 2008
@@ -0,0 +1,58 @@
+Fixes for CVE-2008-2327
+
+
+diff -Naur tiff-3.8.2.orig/libtiff/tif_lzw.c tiff-3.8.2/libtiff/tif_lzw.c
+--- tiff-3.8.2.orig/libtiff/tif_lzw.c  2006-03-21 11:42:50.000000000 -0500
++++ tiff-3.8.2/libtiff/tif_lzw.c       2008-08-22 16:26:01.000000000 -0400
+@@ -237,6 +237,11 @@
+                     sp->dec_codetab[code].length = 1;
+                     sp->dec_codetab[code].next = NULL;
+                 } while (code--);
++              /*
++               * Zero-out the unused entries
++               */
++              _TIFFmemset(&sp->dec_codetab[CODE_CLEAR], 0,
++                          (CODE_FIRST-CODE_CLEAR)*sizeof (code_t));
+       }
+       return (1);
+ }
+@@ -408,12 +413,19 @@
+                       break;
+               if (code == CODE_CLEAR) {
+                       free_entp = sp->dec_codetab + CODE_FIRST;
++                      _TIFFmemset(free_entp, 0, (CSIZE-CODE_FIRST)*sizeof 
(code_t));
+                       nbits = BITS_MIN;
+                       nbitsmask = MAXCODE(BITS_MIN);
+                       maxcodep = sp->dec_codetab + nbitsmask-1;
+                       NextCode(tif, sp, bp, code, GetNextCode);
+                       if (code == CODE_EOI)
+                               break;
++                      if (code == CODE_CLEAR) {
++                              TIFFErrorExt(tif->tif_clientdata, tif->tif_name,
++                              "LZWDecode: Corrupted LZW table at scanline %d",
++                              tif->tif_row);
++                              return (0);
++                      }
+                       *op++ = (char)code, occ--;
+                       oldcodep = sp->dec_codetab + code;
+                       continue;
+@@ -604,12 +616,19 @@
+                       break;
+               if (code == CODE_CLEAR) {
+                       free_entp = sp->dec_codetab + CODE_FIRST;
++                      _TIFFmemset(free_entp, 0, (CSIZE-CODE_FIRST)*sizeof 
(code_t));
+                       nbits = BITS_MIN;
+                       nbitsmask = MAXCODE(BITS_MIN);
+                       maxcodep = sp->dec_codetab + nbitsmask;
+                       NextCode(tif, sp, bp, code, GetNextCodeCompat);
+                       if (code == CODE_EOI)
+                               break;
++                      if (code == CODE_CLEAR) {
++                              TIFFErrorExt(tif->tif_clientdata, tif->tif_name,
++                              "LZWDecodeCompat: Corrupted LZW table at 
scanline %d",
++                              tif->tif_row);
++                              return (0);
++                      }
+                       *op++ = code, occ--;
+                       oldcodep = sp->dec_codetab + code;
+                       continue;
================================================================
_______________________________________________
pld-cvs-commit mailing list
[email protected]
http://lists.pld-linux.org/mailman/listinfo/pld-cvs-commit

Reply via email to