Martin Pitt <[EMAIL PROTECTED]> wrote: > libtiff4 isn't even in woody. I didn't check whether this flaw affects > woody's TIFF library, though.
But libtiff3g is, and this bug is there. Security: I'm attaching a patch against the woody version. THIS IS UNTESTED. I extracted the source package for the current woody version (3.5.5-6.woody5) and hand-applied the patch to the extracted version (i.e. on top of other packages already there). The offending code is there only twice in the woody version. (It's there three times in the current version.) The attached patch should apply against that. As I said, I haven't tested or even attempted to build it in a woody environment since I don't have a woody build environment set up and have no time today! I did build it in a sid environment, so I know it at least compiles, but I didn't run it. I hope this saves you at least some effort. >> Martin, will you take care of applying this patch to the Breezy >> version? > > Yes, of course. :-) It currently doesn't build because of a library of > our new X.org, but that's an entirely different problem. I already > ported the patch itself. Okay, see Ubuntu bug 10952. :-) I'm probably duplicating your effort but maybe it will still be useful. -- Jay Berkenbilt <[EMAIL PROTECTED]>
--- libtiff/tif_dirread.c~ 2005-05-19 06:26:07.896339528 -0400
+++ libtiff/tif_dirread.c 2005-05-19 06:30:14.865794464 -0400
@@ -1178,12 +1178,16 @@
uint16 buf[10];
uint16* v = buf;
- if (samples > NITEMS(buf))
- v = (uint16*) CheckMalloc(tif, samples, sizeof (uint16),
+ if (dir->tdir_count > NITEMS(buf))
+ v = (uint16*) CheckMalloc(tif, dir->tdir_count, sizeof(uint16),
"to fetch per-sample values");
if (v && TIFFFetchShortArray(tif, dir, v)) {
int i;
- for (i = 1; i < samples; i++)
+ int check_count = dir->tdir_count;
+ if( samples < check_count )
+ check_count = samples;
+
+ for (i = 1; i < check_count; i++)
if (v[i] != v[0]) {
TIFFError(tif->tif_name,
"Cannot handle different per-sample values for field \"%s\"",
@@ -1215,12 +1219,16 @@
double buf[10];
double* v = buf;
- if (samples > NITEMS(buf))
- v = (double*) CheckMalloc(tif, samples, sizeof (double),
+ if (dir->tdir_count > NITEMS(buf))
+ v = (double*) CheckMalloc(tif, dir->tdir_count, sizeof (double),
"to fetch per-sample values");
if (v && TIFFFetchAnyArray(tif, dir, v)) {
int i;
- for (i = 1; i < samples; i++)
+ int check_count = dir->tdir_count;
+ if( samples < check_count )
+ check_count = samples;
+
+ for (i = 1; i < check_count; i++)
if (v[i] != v[0]) {
TIFFError(tif->tif_name,
"Cannot handle different per-sample values for field \"%s\"",
pgpEmZt7HeED4.pgp
Description: PGP signature
