wok annotate tiff/stuff/libtiff-CVE-2011-0192.patch @ rev 9544

tiff: Patched overflows that could lead to aribitrary code execution when parsing a malformed image file. Thanks slackware for having this.
author Christopher Rogers <slaxemulator@gmail.com>
date Sat Apr 09 07:21:58 2011 +0000 (2011-04-09)
parents
children
rev   line source
slaxemulator@9544 1 Protect against a fax VL(n) codeword commanding a move left. Without
slaxemulator@9544 2 this, a malicious input file can generate an indefinitely large series
slaxemulator@9544 3 of runs without a0 ever reaching the right margin, thus overrunning
slaxemulator@9544 4 our buffer of run lengths. Per CVE-2011-0192. This is a modified
slaxemulator@9544 5 version of a patch proposed by Drew Yao of Apple Product Security.
slaxemulator@9544 6 It adds an unexpected() report, and disallows the equality case except
slaxemulator@9544 7 for the first run of a line, since emitting a run without increasing a0
slaxemulator@9544 8 still allows buffer overrun. (We have to allow it for the first run to
slaxemulator@9544 9 cover the case of encoding a zero-length run at start of line using VL.)
slaxemulator@9544 10
slaxemulator@9544 11
slaxemulator@9544 12 diff -Naur tiff-3.9.4.orig/libtiff/tif_fax3.h tiff-3.9.4/libtiff/tif_fax3.h
slaxemulator@9544 13 --- tiff-3.9.4.orig/libtiff/tif_fax3.h 2010-06-08 14:50:42.000000000 -0400
slaxemulator@9544 14 +++ tiff-3.9.4/libtiff/tif_fax3.h 2011-03-10 12:11:20.850839162 -0500
slaxemulator@9544 15 @@ -478,6 +478,12 @@
slaxemulator@9544 16 break; \
slaxemulator@9544 17 case S_VL: \
slaxemulator@9544 18 CHECK_b1; \
slaxemulator@9544 19 + if (b1 <= (int) (a0 + TabEnt->Param)) { \
slaxemulator@9544 20 + if (b1 < (int) (a0 + TabEnt->Param) || pa != thisrun) { \
slaxemulator@9544 21 + unexpected("VL", a0); \
slaxemulator@9544 22 + goto eol2d; \
slaxemulator@9544 23 + } \
slaxemulator@9544 24 + } \
slaxemulator@9544 25 SETVALUE(b1 - a0 - TabEnt->Param); \
slaxemulator@9544 26 b1 -= *--pb; \
slaxemulator@9544 27 break; \