Нема описа

011-CVE-2013-1960.patch 4.1KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146
  1. Index: tiff-4.0.3/tools/tiff2pdf.c
  2. ===================================================================
  3. --- tiff-4.0.3.orig/tools/tiff2pdf.c 2013-06-23 10:36:50.979629486 -0400
  4. +++ tiff-4.0.3/tools/tiff2pdf.c 2013-06-23 10:36:50.975629486 -0400
  5. @@ -3341,33 +3341,56 @@
  6. uint32 height){
  7. tsize_t i=0;
  8. - uint16 ri =0;
  9. - uint16 v_samp=1;
  10. - uint16 h_samp=1;
  11. - int j=0;
  12. -
  13. - i++;
  14. -
  15. - while(i<(*striplength)){
  16. +
  17. + while (i < *striplength) {
  18. + tsize_t datalen;
  19. + uint16 ri;
  20. + uint16 v_samp;
  21. + uint16 h_samp;
  22. + int j;
  23. + int ncomp;
  24. +
  25. + /* marker header: one or more FFs */
  26. + if (strip[i] != 0xff)
  27. + return(0);
  28. + i++;
  29. + while (i < *striplength && strip[i] == 0xff)
  30. + i++;
  31. + if (i >= *striplength)
  32. + return(0);
  33. + /* SOI is the only pre-SOS marker without a length word */
  34. + if (strip[i] == 0xd8)
  35. + datalen = 0;
  36. + else {
  37. + if ((*striplength - i) <= 2)
  38. + return(0);
  39. + datalen = (strip[i+1] << 8) | strip[i+2];
  40. + if (datalen < 2 || datalen >= (*striplength - i))
  41. + return(0);
  42. + }
  43. switch( strip[i] ){
  44. - case 0xd8:
  45. - /* SOI - start of image */
  46. + case 0xd8: /* SOI - start of image */
  47. _TIFFmemcpy(&(buffer[*bufferoffset]), &(strip[i-1]), 2);
  48. *bufferoffset+=2;
  49. - i+=2;
  50. break;
  51. - case 0xc0:
  52. - case 0xc1:
  53. - case 0xc3:
  54. - case 0xc9:
  55. - case 0xca:
  56. + case 0xc0: /* SOF0 */
  57. + case 0xc1: /* SOF1 */
  58. + case 0xc3: /* SOF3 */
  59. + case 0xc9: /* SOF9 */
  60. + case 0xca: /* SOF10 */
  61. if(no==0){
  62. - _TIFFmemcpy(&(buffer[*bufferoffset]), &(strip[i-1]), strip[i+2]+2);
  63. - for(j=0;j<buffer[*bufferoffset+9];j++){
  64. - if( (buffer[*bufferoffset+11+(2*j)]>>4) > h_samp)
  65. - h_samp = (buffer[*bufferoffset+11+(2*j)]>>4);
  66. - if( (buffer[*bufferoffset+11+(2*j)] & 0x0f) > v_samp)
  67. - v_samp = (buffer[*bufferoffset+11+(2*j)] & 0x0f);
  68. + _TIFFmemcpy(&(buffer[*bufferoffset]), &(strip[i-1]), datalen+2);
  69. + ncomp = buffer[*bufferoffset+9];
  70. + if (ncomp < 1 || ncomp > 4)
  71. + return(0);
  72. + v_samp=1;
  73. + h_samp=1;
  74. + for(j=0;j<ncomp;j++){
  75. + uint16 samp = buffer[*bufferoffset+11+(3*j)];
  76. + if( (samp>>4) > h_samp)
  77. + h_samp = (samp>>4);
  78. + if( (samp & 0x0f) > v_samp)
  79. + v_samp = (samp & 0x0f);
  80. }
  81. v_samp*=8;
  82. h_samp*=8;
  83. @@ -3381,45 +3404,43 @@
  84. (unsigned char) ((height>>8) & 0xff);
  85. buffer[*bufferoffset+6]=
  86. (unsigned char) (height & 0xff);
  87. - *bufferoffset+=strip[i+2]+2;
  88. - i+=strip[i+2]+2;
  89. -
  90. + *bufferoffset+=datalen+2;
  91. + /* insert a DRI marker */
  92. buffer[(*bufferoffset)++]=0xff;
  93. buffer[(*bufferoffset)++]=0xdd;
  94. buffer[(*bufferoffset)++]=0x00;
  95. buffer[(*bufferoffset)++]=0x04;
  96. buffer[(*bufferoffset)++]=(ri >> 8) & 0xff;
  97. buffer[(*bufferoffset)++]= ri & 0xff;
  98. - } else {
  99. - i+=strip[i+2]+2;
  100. }
  101. break;
  102. - case 0xc4:
  103. - case 0xdb:
  104. - _TIFFmemcpy(&(buffer[*bufferoffset]), &(strip[i-1]), strip[i+2]+2);
  105. - *bufferoffset+=strip[i+2]+2;
  106. - i+=strip[i+2]+2;
  107. + case 0xc4: /* DHT */
  108. + case 0xdb: /* DQT */
  109. + _TIFFmemcpy(&(buffer[*bufferoffset]), &(strip[i-1]), datalen+2);
  110. + *bufferoffset+=datalen+2;
  111. break;
  112. - case 0xda:
  113. + case 0xda: /* SOS */
  114. if(no==0){
  115. - _TIFFmemcpy(&(buffer[*bufferoffset]), &(strip[i-1]), strip[i+2]+2);
  116. - *bufferoffset+=strip[i+2]+2;
  117. - i+=strip[i+2]+2;
  118. + _TIFFmemcpy(&(buffer[*bufferoffset]), &(strip[i-1]), datalen+2);
  119. + *bufferoffset+=datalen+2;
  120. } else {
  121. buffer[(*bufferoffset)++]=0xff;
  122. buffer[(*bufferoffset)++]=
  123. (unsigned char)(0xd0 | ((no-1)%8));
  124. - i+=strip[i+2]+2;
  125. }
  126. - _TIFFmemcpy(&(buffer[*bufferoffset]), &(strip[i-1]), (*striplength)-i-1);
  127. - *bufferoffset+=(*striplength)-i-1;
  128. + i += datalen + 1;
  129. + /* copy remainder of strip */
  130. + _TIFFmemcpy(&(buffer[*bufferoffset]), &(strip[i]), *striplength - i);
  131. + *bufferoffset+= *striplength - i;
  132. return(1);
  133. default:
  134. - i+=strip[i+2]+2;
  135. + /* ignore any other marker */
  136. + break;
  137. }
  138. + i += datalen + 1;
  139. }
  140. -
  141. + /* failed to find SOS marker */
  142. return(0);
  143. }
  144. #endif