diff --git a/ChangeLog b/ChangeLog index ebfb3e68..f72059f7 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,18 +1,25 @@ +2013-09-12 Bob Friesenhahn + + * libtiff/tif_dir.c (TIFFAdvanceDirectory): If nextdir is found to + be defective, then set it to zero before returning error in order + to terminate processing of truncated TIFF. Issue found and fix + suggested by Richard Nolde. + 2013-08-14 Frank Warmerdam - * tools/gif2tiff.c: fix possible OOB write (#2452, CVE-2013-4244) + * tools/gif2tiff.c: fix possible OOB write (#2452, CVE-2013-4244) 2013-08-13 Frank Warmerdam * tools/gif2tiff.c: Be more careful about corrupt or hostile input files (#2450, CVE-2013-4231) - * tools/tiff2pdf.c: terminate after failure of allocating + * tools/tiff2pdf.c: terminate after failure of allocating ycbcr buffer (bug #2449, CVE-2013-4232) 2013-07-09 Frank Warmerdam - * tools/tiffinfo.c: Default various values fetched with + * tools/tiffinfo.c: Default various values fetched with TIFFGetField() to avoid being uninitialized. 2013-05-02 Tom Lane diff --git a/libtiff/tif_dir.c b/libtiff/tif_dir.c index 8bf3ea71..ab941d8c 100644 --- a/libtiff/tif_dir.c +++ b/libtiff/tif_dir.c @@ -1,4 +1,4 @@ -/* $Id: tif_dir.c,v 1.113 2012-06-14 20:32:53 fwarmerdam Exp $ */ +/* $Id: tif_dir.c,v 1.114 2013-09-13 02:34:50 bfriesen Exp $ */ /* * Copyright (c) 1988-1997 Sam Leffler @@ -1344,6 +1344,7 @@ TIFFAdvanceDirectory(TIFF* tif, uint64* nextdir, uint64* off) if (((uint64)poffa!=poff)||(poffbtif->tif_size)) { TIFFErrorExt(tif->tif_clientdata,module,"Error fetching directory count"); + *nextdir=0; return(0); } _TIFFmemcpy(&dircount,tif->tif_base+poffa,sizeof(uint16));