summarylogtreecommitdiffstats
path: root/libtiff-CVE-2016-10271_10272.patch
diff options
context:
space:
mode:
Diffstat (limited to 'libtiff-CVE-2016-10271_10272.patch')
-rw-r--r--libtiff-CVE-2016-10271_10272.patch28
1 files changed, 28 insertions, 0 deletions
diff --git a/libtiff-CVE-2016-10271_10272.patch b/libtiff-CVE-2016-10271_10272.patch
new file mode 100644
index 000000000000..4b33cb1519d9
--- /dev/null
+++ b/libtiff-CVE-2016-10271_10272.patch
@@ -0,0 +1,28 @@
+From 9657bbe3cdce4aaa90e07d50c1c70ae52da0ba6a Mon Sep 17 00:00:00 2001
+From: erouault <erouault>
+Date: Sat, 3 Dec 2016 11:35:56 +0000
+Subject: [PATCH] * tools/tiffcrop.c: fix readContigStripsIntoBuffer() in -i
+ (ignore) mode so that the output buffer is correctly incremented to avoid
+ write outside bounds. Reported by Agostino Sarubbo. Fixes
+ http://bugzilla.maptools.org/show_bug.cgi?id=2620
+
+---
+ tools/tiffcrop.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c
+index b87a77a..70a71e1 100644
+--- a/tools/tiffcrop.c
++++ b/tools/tiffcrop.c
+@@ -3698,7 +3698,7 @@ static int readContigStripsIntoBuffer (TIFF* in, uint8* buf)
+ (unsigned long) strip, (unsigned long)rows);
+ return 0;
+ }
+- bufp += bytes_read;
++ bufp += stripsize;
+ }
+
+ return 1;
+--
+2.7.4
+