diff options
Diffstat (limited to 'media-libs/tiff/files/tiff-4.0.7-CVE-2016-10266.patch')
-rw-r--r-- | media-libs/tiff/files/tiff-4.0.7-CVE-2016-10266.patch | 46 |
1 files changed, 0 insertions, 46 deletions
diff --git a/media-libs/tiff/files/tiff-4.0.7-CVE-2016-10266.patch b/media-libs/tiff/files/tiff-4.0.7-CVE-2016-10266.patch deleted file mode 100644 index 67e0ca41c995..000000000000 --- a/media-libs/tiff/files/tiff-4.0.7-CVE-2016-10266.patch +++ /dev/null @@ -1,46 +0,0 @@ -http://bugzilla.maptools.org/show_bug.cgi?id=2596 - -From d7520d28685b96a28421ef01fb66cea8d1a96dfc Mon Sep 17 00:00:00 2001 -From: Even Rouault <even.rouault@spatialys.com> -Date: Fri, 2 Dec 2016 21:56:56 +0000 -Subject: [PATCH] * libtiff/tif_read.c, libtiff/tiffiop.h: fix uint32 overflow - in TIFFReadEncodedStrip() that caused an integer division by zero. Reported - by Agostino Sarubbo. Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2596 - ---- - ChangeLog | 7 +++++++ - libtiff/tif_read.c | 4 ++-- - libtiff/tiffiop.h | 6 +++++- - 3 files changed, 14 insertions(+), 3 deletions(-) - -diff --git a/libtiff/tif_read.c b/libtiff/tif_read.c -index 80035929f033..29a311db0cb7 100644 ---- a/libtiff/tif_read.c -+++ b/libtiff/tif_read.c -@@ -346,7 +346,7 @@ TIFFReadEncodedStrip(TIFF* tif, uint32 strip, void* buf, tmsize_t size) - rowsperstrip=td->td_rowsperstrip; - if (rowsperstrip>td->td_imagelength) - rowsperstrip=td->td_imagelength; -- stripsperplane=((td->td_imagelength+rowsperstrip-1)/rowsperstrip); -+ stripsperplane= TIFFhowmany_32_maxuint_compat(td->td_imagelength, rowsperstrip); - stripinplane=(strip%stripsperplane); - plane=(uint16)(strip/stripsperplane); - rows=td->td_imagelength-stripinplane*rowsperstrip; -diff --git a/libtiff/tiffiop.h b/libtiff/tiffiop.h -index 8bcd0c172c08..5294ee78ffaf 100644 ---- a/libtiff/tiffiop.h -+++ b/libtiff/tiffiop.h -@@ -250,6 +250,10 @@ struct tiff { - #define TIFFhowmany_32(x, y) (((uint32)x < (0xffffffff - (uint32)(y-1))) ? \ - ((((uint32)(x))+(((uint32)(y))-1))/((uint32)(y))) : \ - 0U) -+/* Variant of TIFFhowmany_32() that doesn't return 0 if x close to MAXUINT. */ -+/* Caution: TIFFhowmany_32_maxuint_compat(x,y)*y might overflow */ -+#define TIFFhowmany_32_maxuint_compat(x, y) \ -+ (((uint32)(x) / (uint32)(y)) + ((((uint32)(x) % (uint32)(y)) != 0) ? 1 : 0)) - #define TIFFhowmany8_32(x) (((x)&0x07)?((uint32)(x)>>3)+1:(uint32)(x)>>3) - #define TIFFroundup_32(x, y) (TIFFhowmany_32(x,y)*(y)) - #define TIFFhowmany_64(x, y) ((((uint64)(x))+(((uint64)(y))-1))/((uint64)(y))) --- -2.12.0 - |