Fixes security issues in libTIFF's handling of LZW-encoded images. The use of uninitialized data could lead to a buffer underflow and a crash or arbitrary code execution. CVE-ID: CVE-2008-2327 Security bug: https://bugs.gentoo.org/show_bug.cgi?id=234080 Index: tiff-3.8.2/libtiff/tif_lzw.c =================================================================== --- tiff-3.8.2.orig/libtiff/tif_lzw.c +++ tiff-3.8.2/libtiff/tif_lzw.c @@ -237,6 +237,12 @@ LZWSetupDecode(TIFF* tif) sp->dec_codetab[code].length = 1; sp->dec_codetab[code].next = NULL; } while (code--); + /* + * Zero-out the unused entries + */ + _TIFFmemset(&sp->dec_codetab[CODE_CLEAR], 0, + (CODE_FIRST-CODE_CLEAR)*sizeof (code_t)); + } return (1); } @@ -408,12 +414,19 @@ LZWDecode(TIFF* tif, tidata_t op0, tsize break; if (code == CODE_CLEAR) { free_entp = sp->dec_codetab + CODE_FIRST; + _TIFFmemset(free_entp, 0, (CSIZE-CODE_FIRST)*sizeof (code_t)); nbits = BITS_MIN; nbitsmask = MAXCODE(BITS_MIN); maxcodep = sp->dec_codetab + nbitsmask-1; NextCode(tif, sp, bp, code, GetNextCode); if (code == CODE_EOI) break; + if (code == CODE_CLEAR) { + TIFFErrorExt(tif->tif_clientdata, tif->tif_name, + "LZWDecode: Corrupted LZW table at scanline %d", + tif->tif_row); + return (0); + } *op++ = (char)code, occ--; oldcodep = sp->dec_codetab + code; continue; @@ -604,12 +617,19 @@ LZWDecodeCompat(TIFF* tif, tidata_t op0, break; if (code == CODE_CLEAR) { free_entp = sp->dec_codetab + CODE_FIRST; + _TIFFmemset(free_entp, 0, (CSIZE-CODE_FIRST)*sizeof (code_t)); nbits = BITS_MIN; nbitsmask = MAXCODE(BITS_MIN); maxcodep = sp->dec_codetab + nbitsmask; NextCode(tif, sp, bp, code, GetNextCodeCompat); if (code == CODE_EOI) break; + if (code == CODE_CLEAR) { + TIFFErrorExt(tif->tif_clientdata, tif->tif_name, + "LZWDecode: Corrupted LZW table at scanline %d", + tif->tif_row); + return (0); + } *op++ = code, occ--; oldcodep = sp->dec_codetab + code; continue;