libs/tiff/patches/020-CVE-2019-7663.patch

   1 From 802d3cbf3043be5dce5317e140ccb1c17a6a2d39 Mon Sep 17 00:00:00 2001
   2 From: Thomas Bernard <miniupnp@free.fr>
   3 Date: Tue, 29 Jan 2019 11:21:47 +0100
   4 Subject: [PATCH] TIFFWriteDirectoryTagTransferfunction() : fix NULL
   5  dereferencing
   6
   7 http://bugzilla.maptools.org/show_bug.cgi?id=2833
   8
   9 we must check the pointer is not NULL before memcmp() the memory
  10 ---
  11  libtiff/tif_dirwrite.c | 6 ++++--
  12  1 file changed, 4 insertions(+), 2 deletions(-)
  13
  14 diff --git a/libtiff/tif_dirwrite.c b/libtiff/tif_dirwrite.c
  15 index c15a28db..ef30c869 100644
  16 --- a/libtiff/tif_dirwrite.c
  17 +++ b/libtiff/tif_dirwrite.c
  18 @@ -1893,12 +1893,14 @@ TIFFWriteDirectoryTagTransferfunction(TIFF* tif, uint32* ndir, TIFFDirEntry* dir
  19                 n=3;
  20         if (n==3)
  21         {
  22 -               if (!_TIFFmemcmp(tif->tif_dir.td_transferfunction[0],tif->tif_dir.td_transferfunction[2],m*sizeof(uint16)))
  23 +               if (tif->tif_dir.td_transferfunction[2] == NULL ||
  24 +                   !_TIFFmemcmp(tif->tif_dir.td_transferfunction[0],tif->tif_dir.td_transferfunction[2],m*sizeof(uint16)))
  25                         n=2;
  26         }
  27         if (n==2)
  28         {
  29 -               if (!_TIFFmemcmp(tif->tif_dir.td_transferfunction[0],tif->tif_dir.td_transferfunction[1],m*sizeof(uint16)))
  30 +               if (tif->tif_dir.td_transferfunction[1] == NULL ||
  31 +                   !_TIFFmemcmp(tif->tif_dir.td_transferfunction[0],tif->tif_dir.td_transferfunction[1],m*sizeof(uint16)))
  32                         n=1;
  33         }
  34         if (n==0)
  35 --
  36 2.18.1
  37