2012.01.07 02:29 "[Tiff] Proposed modification to", by Ryan Wong

2012.01.07 02:29 "[Tiff] Proposed modification to", by Ryan Wong

This is a proposed modification to Tom Lane's patch in http://bugzilla.maptools.org/show_bug.cgi?id=2297 We have a customer-submitted image which cannot be decoded once we applied Tom's patch (http://bugzilla.maptools.org/attachment.cgi?id=443). The image contains privacy information which cannot be shared. Our investigation leads us to propose another patch, which relaxes the catch condition slightly. The main change is that in addition to allowing (treating as valid) the case of equality at the first element of the current row, it is also allowed if it is at the second element of the row. Namely, fromif (b1 < (int) (a0 + TabEnt->Param) || pa != thisrun) { unexpected(...); }toif (b1 < (int) (a0 + TabEnt->Param) || (pa != thisrun && pa != thisrun + 1)) { unexpected(...); } In our customer-submitted image, the code "V0 VL(...)" was occasionally found at the beginning of the row. In this particular image, the value of VL is always equal to (b1 - a0), thus falling into the equality case (that is, it was not trying to move backwards). Furthermore, "a0" is always zero when this code is seen. If my interpretation is correct, the following would also work:if (b1 < (int) (a0 + TabEnt->Param) || (pa != thisrun && pa != thisrun + 1 || a0 != 0)) { unexpected(...); } Your opinions are greatly appreciated. In particular, we would like to know if any risk can be identified from this code change. Regards,rwong_002@hotmail.com

--- libtiff-3_9_5_r227596\source\libtiff\tif_fax3.h     2012-01-06 17:40:59.780697800 -0800
+++ libtiff-3_9_5\source\libtiff\tif_fax3.h     2012-01-06 17:49:50.101760000 -0800
@@ -476,13 +476,13 @@
            SETVALUE(b1 - a0 + TabEnt->Param);                          \
            b1 += *pb++;                                                \
            break;                                                      \
        case S_VL:                                                      \
            CHECK_b1;                                                   \
            if (b1 <= (int) (a0 + TabEnt->Param)) {                     \
-               if (b1 < (int) (a0 + TabEnt->Param) || pa != thisrun) { \
+               if (b1 < (int) (a0 + TabEnt->Param) || (pa != thisrun && pa != thisrun + 1)) {  \
                    unexpected("VL", a0);                               \
                    goto eol2d;                                         \
                }                                                       \
            }                                                           \
            SETVALUE(b1 - a0 - TabEnt->Param);                          \
            b1 -= *--pb;                                                \