Fixed multiple vulnerabilities, as per Gentoo bug ():
http://bugs.gentoo.org/show_bug.cgi?id=142383
This commit is contained in:
parent
b201d46b26
commit
fe30eef772
@ -1,4 +1,4 @@
|
|||||||
/* $Id: tif_fax3.c,v 1.41 2006-06-08 11:33:00 dron Exp $ */
|
/* $Id: tif_fax3.c,v 1.42 2006-09-28 16:26:03 dron Exp $ */
|
||||||
|
|
||||||
/*
|
/*
|
||||||
* Copyright (c) 1990-1997 Sam Leffler
|
* Copyright (c) 1990-1997 Sam Leffler
|
||||||
@ -1138,6 +1138,7 @@ static int
|
|||||||
Fax3VSetField(TIFF* tif, ttag_t tag, va_list ap)
|
Fax3VSetField(TIFF* tif, ttag_t tag, va_list ap)
|
||||||
{
|
{
|
||||||
Fax3BaseState* sp = Fax3State(tif);
|
Fax3BaseState* sp = Fax3State(tif);
|
||||||
|
const TIFFFieldInfo* fip;
|
||||||
|
|
||||||
assert(sp != 0);
|
assert(sp != 0);
|
||||||
assert(sp->vsetparent != 0);
|
assert(sp->vsetparent != 0);
|
||||||
@ -1145,10 +1146,10 @@ Fax3VSetField(TIFF* tif, ttag_t tag, va_list ap)
|
|||||||
switch (tag) {
|
switch (tag) {
|
||||||
case TIFFTAG_FAXMODE:
|
case TIFFTAG_FAXMODE:
|
||||||
sp->mode = va_arg(ap, int);
|
sp->mode = va_arg(ap, int);
|
||||||
return (1); /* NB: pseudo tag */
|
return 1; /* NB: pseudo tag */
|
||||||
case TIFFTAG_FAXFILLFUNC:
|
case TIFFTAG_FAXFILLFUNC:
|
||||||
DecoderState(tif)->fill = va_arg(ap, TIFFFaxFillFunc);
|
DecoderState(tif)->fill = va_arg(ap, TIFFFaxFillFunc);
|
||||||
return (1); /* NB: pseudo tag */
|
return 1; /* NB: pseudo tag */
|
||||||
case TIFFTAG_GROUP3OPTIONS:
|
case TIFFTAG_GROUP3OPTIONS:
|
||||||
/* XXX: avoid reading options if compression mismatches. */
|
/* XXX: avoid reading options if compression mismatches. */
|
||||||
if (tif->tif_dir.td_compression == COMPRESSION_CCITTFAX3)
|
if (tif->tif_dir.td_compression == COMPRESSION_CCITTFAX3)
|
||||||
@ -1183,9 +1184,14 @@ Fax3VSetField(TIFF* tif, ttag_t tag, va_list ap)
|
|||||||
default:
|
default:
|
||||||
return (*sp->vsetparent)(tif, tag, ap);
|
return (*sp->vsetparent)(tif, tag, ap);
|
||||||
}
|
}
|
||||||
TIFFSetFieldBit(tif, _TIFFFieldWithTag(tif, tag)->field_bit);
|
|
||||||
|
if ((fip = _TIFFFieldWithTag(tif, tag)))
|
||||||
|
TIFFSetFieldBit(tif, fip->field_bit);
|
||||||
|
else
|
||||||
|
return 0;
|
||||||
|
|
||||||
tif->tif_flags |= TIFF_DIRTYDIRECT;
|
tif->tif_flags |= TIFF_DIRTYDIRECT;
|
||||||
return (1);
|
return 1;
|
||||||
}
|
}
|
||||||
|
|
||||||
static int
|
static int
|
||||||
|
@ -1,4 +1,4 @@
|
|||||||
/* $Id: tif_next.c,v 1.6 2005-12-21 12:23:13 joris Exp $ */
|
/* $Id: tif_next.c,v 1.7 2006-09-28 16:26:03 dron Exp $ */
|
||||||
|
|
||||||
/*
|
/*
|
||||||
* Copyright (c) 1988-1997 Sam Leffler
|
* Copyright (c) 1988-1997 Sam Leffler
|
||||||
@ -99,17 +99,21 @@ NeXTDecode(TIFF* tif, tidata_t buf, tsize_t occ, tsample_t s)
|
|||||||
unsigned long imagewidth = tif->tif_dir.td_imagewidth;
|
unsigned long imagewidth = tif->tif_dir.td_imagewidth;
|
||||||
|
|
||||||
/*
|
/*
|
||||||
* The scanline is composed of a sequence
|
* The scanline is composed of a sequence of constant
|
||||||
* of constant color ``runs''. We shift
|
* color ``runs''. We shift into ``run mode'' and
|
||||||
* into ``run mode'' and interpret bytes
|
* interpret bytes as codes of the form
|
||||||
* as codes of the form <color><npixels>
|
* <color><npixels> until we've filled the scanline.
|
||||||
* until we've filled the scanline.
|
|
||||||
*/
|
*/
|
||||||
op = row;
|
op = row;
|
||||||
for (;;) {
|
for (;;) {
|
||||||
grey = (n>>6) & 0x3;
|
grey = (n>>6) & 0x3;
|
||||||
n &= 0x3f;
|
n &= 0x3f;
|
||||||
while (n-- > 0)
|
/*
|
||||||
|
* Ensure the run does not exceed the scanline
|
||||||
|
* bounds, potentially resulting in a security
|
||||||
|
* issue.
|
||||||
|
*/
|
||||||
|
while (n-- > 0 && npixels < imagewidth)
|
||||||
SETPIXEL(op, grey);
|
SETPIXEL(op, grey);
|
||||||
if (npixels >= (int) imagewidth)
|
if (npixels >= (int) imagewidth)
|
||||||
break;
|
break;
|
||||||
|
@ -1,4 +1,4 @@
|
|||||||
/* $Id: tif_pixarlog.c,v 1.14 2006-03-16 12:38:24 dron Exp $ */
|
/* $Id: tif_pixarlog.c,v 1.15 2006-09-28 16:26:03 dron Exp $ */
|
||||||
|
|
||||||
/*
|
/*
|
||||||
* Copyright (c) 1996-1997 Sam Leffler
|
* Copyright (c) 1996-1997 Sam Leffler
|
||||||
@ -327,7 +327,7 @@ horizontalAccumulate11(uint16 *wp, int n, int stride, uint16 *op)
|
|||||||
while (n > 0) {
|
while (n > 0) {
|
||||||
REPEAT(stride,
|
REPEAT(stride,
|
||||||
wp[stride] += *wp; *op = *wp&mask; wp++; op++)
|
wp[stride] += *wp; *op = *wp&mask; wp++; op++)
|
||||||
n -= stride;
|
n -= stride;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
@ -768,6 +768,18 @@ PixarLogDecode(TIFF* tif, tidata_t op, tsize_t occ, tsample_t s)
|
|||||||
if (tif->tif_flags & TIFF_SWAB)
|
if (tif->tif_flags & TIFF_SWAB)
|
||||||
TIFFSwabArrayOfShort(up, nsamples);
|
TIFFSwabArrayOfShort(up, nsamples);
|
||||||
|
|
||||||
|
/*
|
||||||
|
* if llen is not an exact multiple of nsamples, the decode operation
|
||||||
|
* may overflow the output buffer, so truncate it enough to prevent
|
||||||
|
* that but still salvage as much data as possible.
|
||||||
|
*/
|
||||||
|
if (nsamples % llen) {
|
||||||
|
TIFFWarningExt(tif->tif_clientdata, module,
|
||||||
|
"%s: stride %lu is not a multiple of sample count, "
|
||||||
|
"%lu, data truncated.", tif->tif_name, llen, nsamples);
|
||||||
|
nsamples -= nsamples % llen;
|
||||||
|
}
|
||||||
|
|
||||||
for (i = 0; i < nsamples; i += llen, up += llen) {
|
for (i = 0; i < nsamples; i += llen, up += llen) {
|
||||||
switch (sp->user_datafmt) {
|
switch (sp->user_datafmt) {
|
||||||
case PIXARLOGDATAFMT_FLOAT:
|
case PIXARLOGDATAFMT_FLOAT:
|
||||||
@ -1036,7 +1048,7 @@ PixarLogEncode(TIFF* tif, tidata_t bp, tsize_t cc, tsample_t s)
|
|||||||
TIFFDirectory *td = &tif->tif_dir;
|
TIFFDirectory *td = &tif->tif_dir;
|
||||||
PixarLogState *sp = EncoderState(tif);
|
PixarLogState *sp = EncoderState(tif);
|
||||||
static const char module[] = "PixarLogEncode";
|
static const char module[] = "PixarLogEncode";
|
||||||
int i, n, llen;
|
int i, n, llen;
|
||||||
unsigned short * up;
|
unsigned short * up;
|
||||||
|
|
||||||
(void) s;
|
(void) s;
|
||||||
|
Loading…
Reference in New Issue
Block a user