33 lines
903 B
Diff
33 lines
903 B
Diff
Copied from Debian
|
|
|
|
From 3206e0c752a62da1ae606867113ed3bf9bf73306 Mon Sep 17 00:00:00 2001
|
|
From: erouault <erouault>
|
|
Date: Sun, 21 Dec 2014 19:53:59 +0000
|
|
Subject: [PATCH] * tools/thumbnail.c: fix out-of-buffer write
|
|
http://bugzilla.maptools.org/show_bug.cgi?id=2489 (CVE-2014-8128)
|
|
|
|
---
|
|
ChangeLog | 5 +++++
|
|
tools/thumbnail.c | 8 +++++++-
|
|
2 files changed, 12 insertions(+), 1 deletion(-)
|
|
|
|
diff --git a/tools/thumbnail.c b/tools/thumbnail.c
|
|
index fab63f6..c50bbff 100644
|
|
--- a/tools/thumbnail.c
|
|
+++ b/tools/thumbnail.c
|
|
@@ -568,7 +568,13 @@ setImage1(const uint8* br, uint32 rw, uint32 rh)
|
|
err -= limit;
|
|
sy++;
|
|
if (err >= limit)
|
|
- rows[nrows++] = br + bpr*sy;
|
|
+ {
|
|
+ /* We should perhaps error loudly, but I can't make sense of that */
|
|
+ /* code... */
|
|
+ if( nrows == 256 )
|
|
+ break;
|
|
+ rows[nrows++] = br + bpr*sy;
|
|
+ }
|
|
}
|
|
setrow(row, nrows, rows);
|
|
row += tnw;
|