diff options
Diffstat (limited to 'gnu/packages/patches/libtiff-CVE-2018-8905.patch')
| -rw-r--r-- | gnu/packages/patches/libtiff-CVE-2018-8905.patch | 61 |
1 files changed, 0 insertions, 61 deletions
diff --git a/gnu/packages/patches/libtiff-CVE-2018-8905.patch b/gnu/packages/patches/libtiff-CVE-2018-8905.patch deleted file mode 100644 index f49815789e..0000000000 --- a/gnu/packages/patches/libtiff-CVE-2018-8905.patch +++ /dev/null @@ -1,61 +0,0 @@ -Fix CVE-2018-8095: - -http://bugzilla.maptools.org/show_bug.cgi?id=2780 -https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8905 - -Patch copied from upstream source repository: - -https://gitlab.com/libtiff/libtiff/commit/58a898cb4459055bb488ca815c23b880c242a27d - -From 58a898cb4459055bb488ca815c23b880c242a27d Mon Sep 17 00:00:00 2001 -From: Even Rouault <even.rouault@spatialys.com> -Date: Sat, 12 May 2018 15:32:31 +0200 -Subject: [PATCH] LZWDecodeCompat(): fix potential index-out-of-bounds write. - Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2780 / CVE-2018-8905 - -The fix consists in using the similar code LZWDecode() to validate we -don't write outside of the output buffer. ---- - libtiff/tif_lzw.c | 18 ++++++++++++------ - 1 file changed, 12 insertions(+), 6 deletions(-) - -diff --git a/libtiff/tif_lzw.c b/libtiff/tif_lzw.c -index 4ccb443c..94d85e38 100644 ---- a/libtiff/tif_lzw.c -+++ b/libtiff/tif_lzw.c -@@ -602,6 +602,7 @@ LZWDecodeCompat(TIFF* tif, uint8* op0, tmsize_t occ0, uint16 s) - char *tp; - unsigned char *bp; - int code, nbits; -+ int len; - long nextbits, nextdata, nbitsmask; - code_t *codep, *free_entp, *maxcodep, *oldcodep; - -@@ -753,13 +754,18 @@ LZWDecodeCompat(TIFF* tif, uint8* op0, tmsize_t occ0, uint16 s) - } while (--occ); - break; - } -- assert(occ >= codep->length); -- op += codep->length; -- occ -= codep->length; -- tp = op; -+ len = codep->length; -+ tp = op + len; - do { -- *--tp = codep->value; -- } while( (codep = codep->next) != NULL ); -+ int t; -+ --tp; -+ t = codep->value; -+ codep = codep->next; -+ *tp = (char)t; -+ } while (codep && tp > op); -+ assert(occ >= len); -+ op += len; -+ occ -= len; - } else { - *op++ = (char)code; - occ--; --- -2.17.0 - |