Fixed multiple vulnerabilities, as per Gentoo bug ():

http://bugs.gentoo.org/show_bug.cgi?id=142383
This commit is contained in:
Andrey Kiselev 2006-09-28 16:26:03 +00:00
parent b201d46b26
commit fe30eef772
3 changed files with 37 additions and 15 deletions

View File

@ -1,4 +1,4 @@
/* $Id: tif_fax3.c,v 1.41 2006-06-08 11:33:00 dron Exp $ */
/* $Id: tif_fax3.c,v 1.42 2006-09-28 16:26:03 dron Exp $ */
/*
* Copyright (c) 1990-1997 Sam Leffler
@ -1138,6 +1138,7 @@ static int
Fax3VSetField(TIFF* tif, ttag_t tag, va_list ap)
{
Fax3BaseState* sp = Fax3State(tif);
const TIFFFieldInfo* fip;
assert(sp != 0);
assert(sp->vsetparent != 0);
@ -1145,10 +1146,10 @@ Fax3VSetField(TIFF* tif, ttag_t tag, va_list ap)
switch (tag) {
case TIFFTAG_FAXMODE:
sp->mode = va_arg(ap, int);
return (1); /* NB: pseudo tag */
return 1; /* NB: pseudo tag */
case TIFFTAG_FAXFILLFUNC:
DecoderState(tif)->fill = va_arg(ap, TIFFFaxFillFunc);
return (1); /* NB: pseudo tag */
return 1; /* NB: pseudo tag */
case TIFFTAG_GROUP3OPTIONS:
/* XXX: avoid reading options if compression mismatches. */
if (tif->tif_dir.td_compression == COMPRESSION_CCITTFAX3)
@ -1183,9 +1184,14 @@ Fax3VSetField(TIFF* tif, ttag_t tag, va_list ap)
default:
return (*sp->vsetparent)(tif, tag, ap);
}
TIFFSetFieldBit(tif, _TIFFFieldWithTag(tif, tag)->field_bit);
if ((fip = _TIFFFieldWithTag(tif, tag)))
TIFFSetFieldBit(tif, fip->field_bit);
else
return 0;
tif->tif_flags |= TIFF_DIRTYDIRECT;
return (1);
return 1;
}
static int

View File

@ -1,4 +1,4 @@
/* $Id: tif_next.c,v 1.6 2005-12-21 12:23:13 joris Exp $ */
/* $Id: tif_next.c,v 1.7 2006-09-28 16:26:03 dron Exp $ */
/*
* Copyright (c) 1988-1997 Sam Leffler
@ -99,17 +99,21 @@ NeXTDecode(TIFF* tif, tidata_t buf, tsize_t occ, tsample_t s)
unsigned long imagewidth = tif->tif_dir.td_imagewidth;
/*
* The scanline is composed of a sequence
* of constant color ``runs''. We shift
* into ``run mode'' and interpret bytes
* as codes of the form <color><npixels>
* until we've filled the scanline.
* The scanline is composed of a sequence of constant
* color ``runs''. We shift into ``run mode'' and
* interpret bytes as codes of the form
* <color><npixels> until we've filled the scanline.
*/
op = row;
for (;;) {
grey = (n>>6) & 0x3;
n &= 0x3f;
while (n-- > 0)
/*
* Ensure the run does not exceed the scanline
* bounds, potentially resulting in a security
* issue.
*/
while (n-- > 0 && npixels < imagewidth)
SETPIXEL(op, grey);
if (npixels >= (int) imagewidth)
break;

View File

@ -1,4 +1,4 @@
/* $Id: tif_pixarlog.c,v 1.14 2006-03-16 12:38:24 dron Exp $ */
/* $Id: tif_pixarlog.c,v 1.15 2006-09-28 16:26:03 dron Exp $ */
/*
* Copyright (c) 1996-1997 Sam Leffler
@ -327,7 +327,7 @@ horizontalAccumulate11(uint16 *wp, int n, int stride, uint16 *op)
while (n > 0) {
REPEAT(stride,
wp[stride] += *wp; *op = *wp&mask; wp++; op++)
n -= stride;
n -= stride;
}
}
}
@ -768,6 +768,18 @@ PixarLogDecode(TIFF* tif, tidata_t op, tsize_t occ, tsample_t s)
if (tif->tif_flags & TIFF_SWAB)
TIFFSwabArrayOfShort(up, nsamples);
/*
* if llen is not an exact multiple of nsamples, the decode operation
* may overflow the output buffer, so truncate it enough to prevent
* that but still salvage as much data as possible.
*/
if (nsamples % llen) {
TIFFWarningExt(tif->tif_clientdata, module,
"%s: stride %lu is not a multiple of sample count, "
"%lu, data truncated.", tif->tif_name, llen, nsamples);
nsamples -= nsamples % llen;
}
for (i = 0; i < nsamples; i += llen, up += llen) {
switch (sp->user_datafmt) {
case PIXARLOGDATAFMT_FLOAT:
@ -1036,7 +1048,7 @@ PixarLogEncode(TIFF* tif, tidata_t bp, tsize_t cc, tsample_t s)
TIFFDirectory *td = &tif->tif_dir;
PixarLogState *sp = EncoderState(tif);
static const char module[] = "PixarLogEncode";
int i, n, llen;
int i, n, llen;
unsigned short * up;
(void) s;