diff options
| author | faxguy <faxguy> | 2010-12-08 00:47:52 +0000 |
|---|---|---|
| committer | faxguy <faxguy> | 2010-12-08 00:47:52 +0000 |
| commit | 7e2adccd6129fcb5349c9ca2166638606ee34f18 (patch) | |
| tree | 12ae185f3a0f3e39a4f76b8fe31eb918f975a647 | |
| parent | 4acd2982857b283e99f8543942dede8a72c6cb34 (diff) | |
| download | libtiff-7e2adccd6129fcb5349c9ca2166638606ee34f18.tar.gz | |
Apply Tom Lane's partial-patch and fix for CVE-2010-3087.
| -rw-r--r-- | libtiff/tif_jpeg.c | 16 | ||||
| -rw-r--r-- | libtiff/tif_strip.c | 20 |
2 files changed, 19 insertions, 17 deletions
diff --git a/libtiff/tif_jpeg.c b/libtiff/tif_jpeg.c index c9afe432..c5d07c06 100644 --- a/libtiff/tif_jpeg.c +++ b/libtiff/tif_jpeg.c @@ -1,4 +1,4 @@ -/* $Id: tif_jpeg.c,v 1.50.2.12 2010-12-06 20:53:13 faxguy Exp $ */ +/* $Id: tif_jpeg.c,v 1.50.2.13 2010-12-08 00:47:52 faxguy Exp $ */ /* * Copyright (c) 1994-1997 Sam Leffler @@ -988,8 +988,15 @@ JPEGDecodeRaw(TIFF* tif, tidata_t buf, tsize_t cc, tsample_t s) tsize_t nrows; (void) s; - /* data is expected to be read in multiples of a scanline */ - if ( (nrows = sp->cinfo.d.image_height) ) { + nrows = cc / sp->bytesperline; + if (cc % sp->bytesperline) + TIFFWarningExt(tif->tif_clientdata, tif->tif_name, "fractional scanline not read"); + + if( nrows > (int) sp->cinfo.d.image_height ) + nrows = sp->cinfo.d.image_height; + + /* data is expected to be read in multiples of a scanline */ + if (nrows) { /* Cb,Cr both have sampling factors 1, so this is correct */ JDIMENSION clumps_per_line = sp->cinfo.d.comp_info[1].downsampled_width; int samples_per_clump = sp->samplesperclump; @@ -1087,8 +1094,7 @@ JPEGDecodeRaw(TIFF* tif, tidata_t buf, tsize_t cc, tsample_t s) * TODO: resolve this */ buf += sp->bytesperline; cc -= sp->bytesperline; - nrows -= sp->v_sampling; - } while (nrows > 0); + } while (--nrows > 0); #ifdef JPEG_LIB_MK1 _TIFFfree(tmpbuf); diff --git a/libtiff/tif_strip.c b/libtiff/tif_strip.c index 63dec6bd..b1d3ed92 100644 --- a/libtiff/tif_strip.c +++ b/libtiff/tif_strip.c @@ -1,4 +1,4 @@ -/* $Id: tif_strip.c,v 1.19.2.1 2010-06-08 18:50:43 bfriesen Exp $ */ +/* $Id: tif_strip.c,v 1.19.2.2 2010-12-08 00:47:52 faxguy Exp $ */ /* * Copyright (c) 1991-1997 Sam Leffler @@ -238,23 +238,19 @@ TIFFScanlineSize(TIFF* tif) ycbcrsubsampling + 0, ycbcrsubsampling + 1); - if (ycbcrsubsampling[0] == 0) { + if (ycbcrsubsampling[0]*ycbcrsubsampling[1] == 0) { TIFFErrorExt(tif->tif_clientdata, tif->tif_name, "Invalid YCbCr subsampling"); return 0; } - scanline = TIFFroundup(td->td_imagewidth, + /* number of sample clumps per line */ + scanline = TIFFhowmany(td->td_imagewidth, ycbcrsubsampling[0]); - scanline = TIFFhowmany8(multiply(tif, scanline, - td->td_bitspersample, - "TIFFScanlineSize")); - return ((tsize_t) - summarize(tif, scanline, - multiply(tif, 2, - scanline / ycbcrsubsampling[0], - "TIFFVStripSize"), - "TIFFVStripSize")); + /* number of samples per line */ + scanline = multiply(tif, scanline, + ycbcrsubsampling[0]*ycbcrsubsampling[1] + 2, + "TIFFScanlineSize"); } else { scanline = multiply(tif, td->td_imagewidth, td->td_samplesperpixel, |