packages/libs/tiff/patches/902-cve-2008-2327.patch

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2327

--- a/libtiff/tif_lzw.c
+++ b/libtiff/tif_lzw.c
@@ -237,6 +237,13 @@ LZWSetupDecode(TIFF* tif)
                     sp->dec_codetab[code].length = 1;
                     sp->dec_codetab[code].next = NULL;
                 } while (code--);
+                /*
+                 * Zero-out the unused entries
+                 */
+                 _TIFFmemset(&sp->dec_codetab[CODE_CLEAR], 0,
+                 (CODE_FIRST-CODE_CLEAR)*sizeof (code_t));
+
+
 	}
 	return (1);
 }
@@ -408,12 +415,20 @@ LZWDecode(TIFF* tif, tidata_t op0, tsize
 			break;
 		if (code == CODE_CLEAR) {
 			free_entp = sp->dec_codetab + CODE_FIRST;
+			 _TIFFmemset(free_entp, 0, (CSIZE-CODE_FIRST)*sizeof (code_t));
 			nbits = BITS_MIN;
 			nbitsmask = MAXCODE(BITS_MIN);
 			maxcodep = sp->dec_codetab + nbitsmask-1;
 			NextCode(tif, sp, bp, code, GetNextCode);
 			if (code == CODE_EOI)
 				break;
+			 if (code == CODE_CLEAR) {
+				 TIFFErrorExt(tif->tif_clientdata, tif->tif_name,
+				 "LZWDecode: Corrupted LZW table at scanline %d",
+				 tif->tif_row);
+				 return (0);
+			 }
+
 			*op++ = (char)code, occ--;
 			oldcodep = sp->dec_codetab + code;
 			continue;
@@ -604,12 +619,20 @@ LZWDecodeCompat(TIFF* tif, tidata_t op0,
 			break;
 		if (code == CODE_CLEAR) {
 			free_entp = sp->dec_codetab + CODE_FIRST;
+			 _TIFFmemset(free_entp, 0, (CSIZE-CODE_FIRST)*sizeof (code_t));
 			nbits = BITS_MIN;
 			nbitsmask = MAXCODE(BITS_MIN);
 			maxcodep = sp->dec_codetab + nbitsmask;
 			NextCode(tif, sp, bp, code, GetNextCodeCompat);
 			if (code == CODE_EOI)
 				break;
+			 if (code == CODE_CLEAR) {
+				 TIFFErrorExt(tif->tif_clientdata, tif->tif_name,
+				 "LZWDecode: Corrupted LZW table at scanline %d",
+				 tif->tif_row);
+				 return (0);
+			 }
+
 			*op++ = code, occ--;
 			oldcodep = sp->dec_codetab + code;
 			continue;
[packages] libtiff: fix multiple buffer overflows (patches from Debian) - CVE-2006-3459 - CVE-2006-3465 - CVE-2008-2327 - CVE-2009-2285 git-svn-id: svn://svn.openwrt.org/openwrt/packages@16751 3c298f89-4303-0410-b956-a3cf2f4a3e73 2009-07-09 14:35:40 +00:00			`http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2327`

			`--- a/libtiff/tif_lzw.c`
			`+++ b/libtiff/tif_lzw.c`
			`@@ -237,6 +237,13 @@ LZWSetupDecode(TIFF* tif)`
			`sp->dec_codetab[code].length = 1;`
			`sp->dec_codetab[code].next = NULL;`
			`} while (code--);`
			`+ /*`
			`+ * Zero-out the unused entries`
			`+ */`
			`+ _TIFFmemset(&sp->dec_codetab[CODE_CLEAR], 0,`
			`+ (CODE_FIRST-CODE_CLEAR)*sizeof (code_t));`
			`+`
			`+`
			`}`
			`return (1);`
			`}`
			`@@ -408,12 +415,20 @@ LZWDecode(TIFF* tif, tidata_t op0, tsize`
			`break;`
			`if (code == CODE_CLEAR) {`
			`free_entp = sp->dec_codetab + CODE_FIRST;`
			`+ _TIFFmemset(free_entp, 0, (CSIZE-CODE_FIRST)*sizeof (code_t));`
			`nbits = BITS_MIN;`
			`nbitsmask = MAXCODE(BITS_MIN);`
			`maxcodep = sp->dec_codetab + nbitsmask-1;`
			`NextCode(tif, sp, bp, code, GetNextCode);`
			`if (code == CODE_EOI)`
			`break;`
			`+ if (code == CODE_CLEAR) {`
			`+ TIFFErrorExt(tif->tif_clientdata, tif->tif_name,`
			`+ "LZWDecode: Corrupted LZW table at scanline %d",`
			`+ tif->tif_row);`
			`+ return (0);`
			`+ }`
			`+`
			`*op++ = (char)code, occ--;`
			`oldcodep = sp->dec_codetab + code;`
			`continue;`
			`@@ -604,12 +619,20 @@ LZWDecodeCompat(TIFF* tif, tidata_t op0,`
			`break;`
			`if (code == CODE_CLEAR) {`
			`free_entp = sp->dec_codetab + CODE_FIRST;`
			`+ _TIFFmemset(free_entp, 0, (CSIZE-CODE_FIRST)*sizeof (code_t));`
			`nbits = BITS_MIN;`
			`nbitsmask = MAXCODE(BITS_MIN);`
			`maxcodep = sp->dec_codetab + nbitsmask;`
			`NextCode(tif, sp, bp, code, GetNextCodeCompat);`
			`if (code == CODE_EOI)`
			`break;`
			`+ if (code == CODE_CLEAR) {`
			`+ TIFFErrorExt(tif->tif_clientdata, tif->tif_name,`
			`+ "LZWDecode: Corrupted LZW table at scanline %d",`
			`+ tif->tif_row);`
			`+ return (0);`
			`+ }`
			`+`
			`*op++ = code, occ--;`
			`oldcodep = sp->dec_codetab + code;`
			`continue;`