libs/tiff/patches/902-cve-2008-2327.patch

   1 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2327
   2
   3 --- a/libtiff/tif_lzw.c
   4 +++ b/libtiff/tif_lzw.c
   5 @@ -237,6 +237,13 @@ LZWSetupDecode(TIFF* tif)
   6                      sp->dec_codetab[code].length = 1;
   7                      sp->dec_codetab[code].next = NULL;
   8                  } while (code--);
   9 +                /*
  10 +                 * Zero-out the unused entries
  11 +                 */
  12 +                 _TIFFmemset(&sp->dec_codetab[CODE_CLEAR], 0,
  13 +                 (CODE_FIRST-CODE_CLEAR)*sizeof (code_t));
  14 +
  15 +
  16         }
  17         return (1);
  18  }
  19 @@ -408,12 +415,20 @@ LZWDecode(TIFF* tif, tidata_t op0, tsize
  20                         break;
  21                 if (code == CODE_CLEAR) {
  22                         free_entp = sp->dec_codetab + CODE_FIRST;
  23 +                        _TIFFmemset(free_entp, 0, (CSIZE-CODE_FIRST)*sizeof (code_t));
  24                         nbits = BITS_MIN;
  25                         nbitsmask = MAXCODE(BITS_MIN);
  26                         maxcodep = sp->dec_codetab + nbitsmask-1;
  27                         NextCode(tif, sp, bp, code, GetNextCode);
  28                         if (code == CODE_EOI)
  29                                 break;
  30 +                        if (code == CODE_CLEAR) {
  31 +                                TIFFErrorExt(tif->tif_clientdata, tif->tif_name,
  32 +                                "LZWDecode: Corrupted LZW table at scanline %d",
  33 +                                tif->tif_row);
  34 +                                return (0);
  35 +                        }
  36 +
  37                         *op++ = (char)code, occ--;
  38                         oldcodep = sp->dec_codetab + code;
  39                         continue;
  40 @@ -604,12 +619,20 @@ LZWDecodeCompat(TIFF* tif, tidata_t op0,
  41                         break;
  42                 if (code == CODE_CLEAR) {
  43                         free_entp = sp->dec_codetab + CODE_FIRST;
  44 +                        _TIFFmemset(free_entp, 0, (CSIZE-CODE_FIRST)*sizeof (code_t));
  45                         nbits = BITS_MIN;
  46                         nbitsmask = MAXCODE(BITS_MIN);
  47                         maxcodep = sp->dec_codetab + nbitsmask;
  48                         NextCode(tif, sp, bp, code, GetNextCodeCompat);
  49                         if (code == CODE_EOI)
  50                                 break;
  51 +                        if (code == CODE_CLEAR) {
  52 +                                TIFFErrorExt(tif->tif_clientdata, tif->tif_name,
  53 +                                "LZWDecode: Corrupted LZW table at scanline %d",
  54 +                                tif->tif_row);
  55 +                                return (0);
  56 +                        }
  57 +
  58                         *op++ = code, occ--;
  59                         oldcodep = sp->dec_codetab + code;
  60                         continue;