File: 20-CVE-2018-8905.patch

package info (click to toggle)
tiff 4.0.8-2%2Bdeb9u5
  • links: PTS
  • area: main
  • in suites: stretch
  • size: 14,440 kB
  • sloc: ansic: 65,354; sh: 4,556; makefile: 833; cpp: 793
file content (48 lines) | stat: -rw-r--r-- 1,714 bytes parent folder | download
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
From 58a898cb4459055bb488ca815c23b880c242a27d Mon Sep 17 00:00:00 2001
From: Even Rouault <even.rouault@spatialys.com>
Date: Sat, 12 May 2018 15:32:31 +0200
Subject: [PATCH] LZWDecodeCompat(): fix potential index-out-of-bounds write.  Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2780 / CVE-2018-8905

The fix consists in using the similar code LZWDecode() to validate we
don't write outside of the output buffer.

 libtiff/tif_lzw.c | 17 ++++++++++++-----
 1 file changed, 12 insertions(+), 5 deletions(-)

Index: tiff-4.0.8/libtiff/tif_lzw.c
===================================================================
--- tiff-4.0.8.orig/libtiff/tif_lzw.c	2018-10-28 12:59:52.864935922 +0100
+++ tiff-4.0.8/libtiff/tif_lzw.c	2018-10-28 13:01:50.136932407 +0100
@@ -603,6 +603,7 @@
 	char *tp;
 	unsigned char *bp;
 	int code, nbits;
+	int len;
 	long nextbits, nextdata, nbitsmask;
 	code_t *codep, *free_entp, *maxcodep, *oldcodep;
 
@@ -751,13 +752,18 @@
 				}  while (--occ);
 				break;
 			}
-			assert(occ >= codep->length);
-			op += codep->length;
-			occ -= codep->length;
-			tp = op;
+                        len = codep->length;
+                        tp = op + len;
 			do {
-				*--tp = codep->value;
-			} while( (codep = codep->next) != NULL );
+                                int t;
+                                --tp;
+                                t = codep->value;
+                                codep = codep->next;
+                                *tp = (char)t;
+                        } while (codep && tp > op);
+                        assert(occ >= len);
+                        op += len;
+                        occ -= len;
 		} else {
 			*op++ = (char)code;
 			occ--;