1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
|
Index: ChangeLog
===================================================================
RCS file: /cvs/maptools/cvsroot/libtiff/ChangeLog,v
retrieving revision 1.602.2.130
diff -r1.602.2.130 ChangeLog
0a1,7
> 2011-03-12 Frank Warmerdam <warmerdam@pobox.com>
>
> * libtiff/tif_thunder.c: Correct potential buffer overflow with
> thunder encoded files with wrong bitspersample set. The libtiff
> development team would like to thank Marin Barbella and TippingPoint's
> Zero Day Initiative for reporting this vulnerability (ZDI-CAN-1004).
>
Index: libtiff/tif_thunder.c
===================================================================
RCS file: /cvs/maptools/cvsroot/libtiff/libtiff/tif_thunder.c,v
retrieving revision 1.5.2.1
diff -r1.5.2.1 tif_thunder.c
27a28
> #include <assert.h>
58,62c59,65
< #define SETPIXEL(op, v) { \
< lastpixel = (v) & 0xf; \
< if (npixels++ & 1) \
< *op++ |= lastpixel; \
< else \
---
> #define SETPIXEL(op, v) { \
> lastpixel = (v) & 0xf; \
> if ( npixels < maxpixels ) \
> { \
> if (npixels++ & 1) \
> *op++ |= lastpixel; \
> else \
63a67,84
> } \
> }
>
> static int
> ThunderSetupDecode(TIFF* tif)
> {
> static const char module[] = "ThunderSetupDecode";
>
> if( tif->tif_dir.td_bitspersample != 4 )
> {
> TIFFErrorExt(tif->tif_clientdata, module,
> "Wrong bitspersample value (%d), Thunder decoder only supports 4bits per sample.",
> (int) tif->tif_dir.td_bitspersample );
> return 0;
> }
>
>
> return (1);
145c166,167
< return (1);
---
>
> return (1);
153a176
> tif->tif_setupdecode = ThunderSetupDecode;
165a189
>
|