You need to log in before you can comment on or make changes to this bug.
Created an attachment (id=324) [details] patch for CVE-2009-2347 tiff2rgba and rgb2ycbcr fail to guard against integer overflow while computing the size of the required raster buffer. A malicious input file could therefore overwrite heap memory and potentially achieve arbitrary code execution. I have applied the attached patch for Red Hat's releases of 3.8.2 and prior versions. I have not looked at 3.9 or later.
I'm attaching a patch for this problem that applies cleanly to the current 3.9 branch.
Created an attachment (id=327) [details] patch relative to 3.9 branch Looking at the patch I'm posting and comparing it to the patch already posted here, I see that they are a little different. The one I've provided (which I didn't originally create but could trace if needed) has a little bit more code duplication and also changes a variable name for clarity (the original code shadows a variable). Anyway, you might just want to apply the original patch, manually adjusting as needed. I didn't have any trouble adjusting the patch for the 3.9 branch, but it did require a few hunks to be applied manually.
Applied to 3.9 branch.
Am I right that this still hasn't been applied to the trunk?
Fixes applied to CVS HEAD.
I was disappointed to find out that this is only partially fixed as of 3.9.2. There are three vulnerable spots in tiff2rgba.c and only one got fixed. Please see my original patch.
Created an attachment (id=389) [details] portion of patch still not applied in 3.9.3 This portion of the original patch is still missing in the 3.9 branch, as per my previous comment.
The missing patch is now applied to the 3.9 branch and will appear in 3.9.4. Sorry about that.
