| From 9657bbe3cdce4aaa90e07d50c1c70ae52da0ba6a Mon Sep 17 00:00:00 2001 |
| From: erouault <erouault> |
| Date: Sat, 3 Dec 2016 11:35:56 +0000 |
| Subject: [PATCH] * tools/tiffcrop.c: fix readContigStripsIntoBuffer() in -i |
| (ignore) mode so that the output buffer is correctly incremented to avoid |
| write outside bounds. Reported by Agostino Sarubbo. Fixes |
| http://bugzilla.maptools.org/show_bug.cgi?id=2620 |
| |
| Upstream-Status: Backport |
| CVE: CVE-2016-10271 |
| Signed-off-by: Rajkumar Veer <rveer@mvista.com> |
| |
| --- |
| ChangeLog | 7 +++++++ |
| tools/tiffcrop.c | 2 +- |
| 2 files changed, 8 insertions(+), 1 deletion(-) |
| |
| Index: tiff-4.0.7/tools/tiffcrop.c |
| =================================================================== |
| --- tiff-4.0.7.orig/tools/tiffcrop.c |
| +++ tiff-4.0.7/tools/tiffcrop.c |
| @@ -3698,7 +3698,7 @@ static int readContigStripsIntoBuffer (T |
| (unsigned long) strip, (unsigned long)rows); |
| return 0; |
| } |
| - bufp += bytes_read; |
| + bufp += stripsize; |
| } |
| |
| return 1; |