48 lines
1.7 KiB
Diff
48 lines
1.7 KiB
Diff
|
Fix CVE-2016-5652 (buffer overflow in t2p_readwrite_pdf_image_tile()).
|
||
|
|
|
||
|
|
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5652
|
||
|
|
|
||
|
|
Patches exfiltrated from upstream CVS repo with:
|
||
|
|
cvs diff -u -r 1.92 -r 1.94 tools/tiff2pdf.c
|
||
|
|
|
||
|
|
Index: tools/tiff2pdf.c
|
||
|
|
===================================================================
|
||
|
|
RCS file: /cvs/maptools/cvsroot/libtiff/tools/tiff2pdf.c,v
|
||
|
|
retrieving revision 1.92
|
||
|
|
retrieving revision 1.94
|
||
|
|
diff -u -r1.92 -r1.94
|
||
|
|
--- a/tools/tiff2pdf.c 23 Sep 2016 22:12:18 -0000 1.92
|
||
|
|
+++ b/tools/tiff2pdf.c 9 Oct 2016 11:03:36 -0000 1.94
|
||
|
|
@@ -2887,21 +2887,24 @@
|
||
|
|
return(0);
|
||
|
|
}
|
||
|
|
if(TIFFGetField(input, TIFFTAG_JPEGTABLES, &count, &jpt) != 0) {
|
||
|
|
- if (count > 0) {
|
||
|
|
- _TIFFmemcpy(buffer, jpt, count);
|
||
|
|
+ if (count >= 4) {
|
||
|
|
+ /* Ignore EOI marker of JpegTables */
|
||
|
|
+ _TIFFmemcpy(buffer, jpt, count - 2);
|
||
|
|
bufferoffset += count - 2;
|
||
|
|
+ /* Store last 2 bytes of the JpegTables */
|
||
|
|
table_end[0] = buffer[bufferoffset-2];
|
||
|
|
table_end[1] = buffer[bufferoffset-1];
|
||
|
|
- }
|
||
|
|
- if (count > 0) {
|
||
|
|
xuint32 = bufferoffset;
|
||
|
|
+ bufferoffset -= 2;
|
||
|
|
bufferoffset += TIFFReadRawTile(
|
||
|
|
input,
|
||
|
|
tile,
|
||
|
|
- (tdata_t) &(((unsigned char*)buffer)[bufferoffset-2]),
|
||
|
|
+ (tdata_t) &(((unsigned char*)buffer)[bufferoffset]),
|
||
|
|
-1);
|
||
|
|
- buffer[xuint32-2]=table_end[0];
|
||
|
|
- buffer[xuint32-1]=table_end[1];
|
||
|
|
+ /* Overwrite SOI marker of image scan with previously */
|
||
|
|
+ /* saved end of JpegTables */
|
||
|
|
+ buffer[xuint32-2]=table_end[0];
|
||
|
|
+ buffer[xuint32-1]=table_end[1];
|
||
|
|
} else {
|
||
|
|
bufferoffset += TIFFReadRawTile(
|
||
|
|
input,
|