head	1.2;
access;
symbols
	pkgsrc-2014Q4:1.1.0.12
	pkgsrc-2014Q4-base:1.1
	pkgsrc-2014Q3:1.1.0.10
	pkgsrc-2014Q3-base:1.1
	pkgsrc-2014Q2:1.1.0.8
	pkgsrc-2014Q2-base:1.1
	pkgsrc-2014Q1:1.1.0.6
	pkgsrc-2014Q1-base:1.1
	pkgsrc-2013Q4:1.1.0.4
	pkgsrc-2013Q4-base:1.1
	pkgsrc-2013Q3:1.1.0.2
	pkgsrc-2013Q3-base:1.1;
locks; strict;
comment	@# @;


1.2
date	2015.03.29.14.47.03;	author bsiegert;	state dead;
branches;
next	1.1;
commitid	3mL0zkxEOwrPMvfy;

1.1
date	2013.09.21.18.47.05;	author dholland;	state Exp;
branches;
next	;
commitid	CgijbEWZBEuXVk6x;


desc
@@


1.2
log
@SECURITY: Update libtiff to 4.0.4beta to fix
CVE-2014-8127
CVE-2014-8128
CVE-2014-8129
CVE-2014-8130 (likely)

Remaining unfixed vulnerabilities: CVE-2014-9655, CVE-2015-1547 (but
these are unfixed upstream AFAICS).

ok wiz
@
text
@$NetBSD: patch-CVE-2013-4243,v 1.1 2013/09/21 18:47:05 dholland Exp $

Upstream candidate patch for CVE 2013-4243.
taken from http://bugzilla.maptools.org/attachment.cgi?id=518
(via http://bugzilla.maptools.org/show_bug.cgi?id=2451)

Despite looking suspect with respect to integer overflows, this
appears to be ok, as long as you aren't on a 16-bit platform, because
the largest image size the input can encode is apparently 65535*65535.

--- tools/gif2tiff.c.orig	2013-09-21 18:45:13.000000000 +0000
+++ tools/gif2tiff.c
@@@@ -280,6 +280,10 @@@@ readgifimage(char* mode)
         fprintf(stderr, "no colormap present for image\n");
         return (0);
     }
+    if (width == 0 || height == 0) {
+        fprintf(stderr, "Invalid value of width or height\n");
+        return(0);
+    }
     if ((raster = (unsigned char*) _TIFFmalloc(width*height+EXTRAFUDGE)) == NULL) {
         fprintf(stderr, "not enough memory for image\n");
         return (0);
@@@@ -406,6 +410,10 @@@@ process(register int code, unsigned char
 	    fprintf(stderr, "bad input: code=%d is larger than clear=%d\n",code, clear);
 	    return 0;
 	}
+	if (*fill >= raster + width*height) {
+	    fprintf(stderr, "raster full before eoi code\n");
+	    return 0;
+	}
 	*(*fill)++ = suffix[code];
 	firstchar = oldcode = code;
 	return 1;
@@@@ -436,6 +444,10 @@@@ process(register int code, unsigned char
     }
     oldcode = incode;
     do {
+        if (*fill >= raster + width*height) {
+            fprintf(stderr, "raster full before eoi code\n");
+            return 0;
+        }
 	*(*fill)++ = *--stackp;
     } while (stackp > stack);
     return 1;
@


1.1
log
@Add upstream candidate patch for CVE-2013-4243. PKGREVISION -> 6
@
text
@d1 1
a1 1
$NetBSD$
@