42 lines
1.7 KiB
Diff
42 lines
1.7 KiB
Diff
Fix CVE-2016-9273:
|
|
|
|
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9273
|
|
http://bugzilla.maptools.org/show_bug.cgi?id=2587
|
|
|
|
Patch extracted from upstream CVS repo:
|
|
|
|
2016-11-10 Even Rouault <even.rouault at spatialys.com>
|
|
|
|
revision 1.37
|
|
date: 2016-11-09 18:00:49 -0500; author: erouault; state: Exp; lines: +10 -1; commitid: pzKipPxDJO2dxvtz;
|
|
* libtiff/tif_strip.c: make TIFFNumberOfStrips() return the td->td_nstrips
|
|
value when it is non-zero, instead of recomputing it. This is needed in
|
|
TIFF_STRIPCHOP mode where td_nstrips is modified. Fixes a read outsize of
|
|
array in tiffsplit (or other utilities using TIFFNumberOfStrips()).
|
|
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2587
|
|
|
|
Index: libtiff/tif_strip.c
|
|
===================================================================
|
|
RCS file: /cvs/maptools/cvsroot/libtiff/libtiff/tif_strip.c,v
|
|
retrieving revision 1.36
|
|
retrieving revision 1.37
|
|
diff -u -r1.36 -r1.37
|
|
--- a/libtiff/tif_strip.c 7 Jun 2015 22:35:40 -0000 1.36
|
|
+++ b/libtiff/tif_strip.c 9 Nov 2016 23:00:49 -0000 1.37
|
|
@@ -63,6 +63,15 @@
|
|
TIFFDirectory *td = &tif->tif_dir;
|
|
uint32 nstrips;
|
|
|
|
+ /* If the value was already computed and store in td_nstrips, then return it,
|
|
+ since ChopUpSingleUncompressedStrip might have altered and resized the
|
|
+ since the td_stripbytecount and td_stripoffset arrays to the new value
|
|
+ after the initial affectation of td_nstrips = TIFFNumberOfStrips() in
|
|
+ tif_dirread.c ~line 3612.
|
|
+ See http://bugzilla.maptools.org/show_bug.cgi?id=2587 */
|
|
+ if( td->td_nstrips )
|
|
+ return td->td_nstrips;
|
|
+
|
|
nstrips = (td->td_rowsperstrip == (uint32) -1 ? 1 :
|
|
TIFFhowmany_32(td->td_imagelength, td->td_rowsperstrip));
|
|
if (td->td_planarconfig == PLANARCONFIG_SEPARATE)
|