1
0
forked from brl/citadel
citadel/poky/meta/recipes-multimedia/libtiff/files/CVE-2017-11335.patch

55 lines
1.9 KiB
Diff
Raw Normal View History

From e8b15ccf8c9c593000f8202cf34cc6c4b936d01e Mon Sep 17 00:00:00 2001
From: Even Rouault <even.rouault@spatialys.com>
Date: Sat, 15 Jul 2017 11:13:46 +0000
Subject: [PATCH] * tools/tiff2pdf.c: prevent heap buffer overflow write in
"Raw" mode on PlanarConfig=Contig input images. Fixes
http://bugzilla.maptools.org/show_bug.cgi?id=2715 Reported by team OWL337
Upstream-Status: Backport
[https://github.com/vadz/libtiff/commit/69bfeec247899776b1b396651adb47436e5f1556]
CVE: CVE-2017-11355
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
---
ChangeLog | 7 +++++++
tools/tiff2pdf.c | 7 ++++++-
2 files changed, 13 insertions(+), 1 deletion(-)
diff --git a/ChangeLog b/ChangeLog
index 42eaeb7..6980da8 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,10 @@
+2017-07-15 Even Rouault <even.rouault at spatialys.com>
+
+ * tools/tiff2pdf.c: prevent heap buffer overflow write in "Raw"
+ mode on PlanarConfig=Contig input images.
+ Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2715
+ Reported by team OWL337
+
2017-06-30 Even Rouault <even.rouault at spatialys.com>
* libtiff/tif_dirwrite.c: in TIFFWriteDirectoryTagCheckedXXXX()
diff --git a/tools/tiff2pdf.c b/tools/tiff2pdf.c
index db196e0..cd1e235 100644
--- a/tools/tiff2pdf.c
+++ b/tools/tiff2pdf.c
@@ -1737,7 +1737,12 @@ void t2p_read_tiff_data(T2P* t2p, TIFF* input){
return;
t2p->pdf_transcode = T2P_TRANSCODE_ENCODE;
- if(t2p->pdf_nopassthrough==0){
+ /* It seems that T2P_TRANSCODE_RAW mode doesn't support separate->contig */
+ /* conversion. At least t2p_read_tiff_size and t2p_read_tiff_size_tile */
+ /* do not take into account the number of samples, and thus */
+ /* that can cause heap buffer overflows such as in */
+ /* http://bugzilla.maptools.org/show_bug.cgi?id=2715 */
+ if(t2p->pdf_nopassthrough==0 && t2p->tiff_planar!=PLANARCONFIG_SEPARATE){
#ifdef CCITT_SUPPORT
if(t2p->tiff_compression==COMPRESSION_CCITTFAX4
){
--
2.7.4