diff options
author | fwarmerdam <fwarmerdam> | 2011-03-03 01:36:10 +0000 |
---|---|---|
committer | fwarmerdam <fwarmerdam> | 2011-03-03 01:36:10 +0000 |
commit | 49944e5cfd8a816cc5157cf78479e9df5307c01b (patch) | |
tree | 279dceb6d3da1d3f090ff2dd6e699a5677c983f8 | |
parent | 8b1c79e715e24325a713b8b367d2ab262b89b575 (diff) | |
download | libtiff-49944e5cfd8a816cc5157cf78479e9df5307c01b.tar.gz |
incorporate a fix for possible fax3 decoding overflow (CVE-2011-0192)
-rw-r--r-- | ChangeLog | 11 | ||||
-rw-r--r-- | libtiff/tif_fax3.h | 6 |
2 files changed, 16 insertions, 1 deletions
@@ -1,3 +1,14 @@ +2011-03-02 Frank Warmerdam <warmerdam@pobox.com> + + * libtiff/tif_fax3.h: Protect against a fax VL(n) codeword commanding + a move left. Without this, a malicious input file can generate an + indefinitely large series of runs without a0 ever reaching the right + margin, thus overrunning our buffer of run lengths. Per CVE-2011-0192. + This is a modified version of a patch proposed by Drew Yao of Apple + Product Security. It adds an unexpected() report, and disallows the + equality case, since emitting a run without increasing a0 still allows + buffer overrun. + 2011-02-25 Andrey Kiselev <dron@ak4719.spb.edu> * libtiff/tif_dirwrite.c: Avoid undefined behaviour when casting from diff --git a/libtiff/tif_fax3.h b/libtiff/tif_fax3.h index 40718bcf..f4fc8c8d 100644 --- a/libtiff/tif_fax3.h +++ b/libtiff/tif_fax3.h @@ -1,4 +1,4 @@ -/* $Id: tif_fax3.h,v 1.5.2.1 2010-06-08 18:50:42 bfriesen Exp $ */ +/* $Id: tif_fax3.h,v 1.5.2.2 2011-03-03 01:36:10 fwarmerdam Exp $ */ /* * Copyright (c) 1990-1997 Sam Leffler @@ -478,6 +478,10 @@ done1d: \ break; \ case S_VL: \ CHECK_b1; \ + if (b1 <= (int) (a0 + TabEnt->Param)) { \ + unexpected("VL", a0); \ + goto eol2d; \ + } \ SETVALUE(b1 - a0 - TabEnt->Param); \ b1 -= *--pb; \ break; \ |