https://github.com/libsdl-org/libtiff/commit/94e732d78f4233449640e00fcec0de8c3fb23685
From 94e732d78f4233449640e00fcec0de8c3fb23685 Mon Sep 17 00:00:00 2001
From: Frank Warmerdam <[EMAIL REDACTED]>
Date: Mon, 22 Jun 2009 04:57:31 +0000
Subject: [PATCH] fixed buffer underflow bug (#2065)
---
ChangeLog | 5 +++++
libtiff/tif_lzw.c | 5 +++--
2 files changed, 8 insertions(+), 2 deletions(-)
diff --git a/ChangeLog b/ChangeLog
index 8d9c9c77..bde1fb40 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,8 @@
+2009-06-22 Frank Warmerdam <warmerdam@pobox.com>
+
+ * libtiff/tif_lzw.c: Fix buffer underflow bug.
+ http://bugzilla.maptools.org/show_bug.cgi?id=2065
+
2009-06-03 Frank Warmerdam <warmerdam@pobox.com>
* libtiff/tif_write.c: do not override the planar configuration to be
diff --git a/libtiff/tif_lzw.c b/libtiff/tif_lzw.c
index b870e857..bc4dac65 100644
--- a/libtiff/tif_lzw.c
+++ b/libtiff/tif_lzw.c
@@ -1,4 +1,4 @@
-/* $Id: tif_lzw.c,v 1.29.2.4 2009-01-01 00:10:43 bfriesen Exp $ */
+/* $Id: tif_lzw.c,v 1.29.2.5 2009-06-22 04:57:31 fwarmerdam Exp $ */
/*
* Copyright (c) 1988-1997 Sam Leffler
@@ -675,6 +675,7 @@ LZWDecodeCompat(TIFF* tif, tidata_t op0, tsize_t occ0, tsample_t s)
}
oldcodep = codep;
if (code >= 256) {
+ char *op_orig = op;
/*
* Code maps to a string, copy string
* value to output (written in reverse).
@@ -709,7 +710,7 @@ LZWDecodeCompat(TIFF* tif, tidata_t op0, tsize_t occ0, tsample_t s)
tp = op;
do {
*--tp = codep->value;
- } while( (codep = codep->next) != NULL);
+ } while( (codep = codep->next) != NULL && tp > op_orig);
} else
*op++ = code, occ--;
}