$NetBSD: patch-bb,v 1.1 2006/08/02 15:42:25 salo Exp $

Security fix for SA21304.

--- libtiff/tif_pixarlog.c.orig	2006-03-21 17:42:50.000000000 +0100
+++ libtiff/tif_pixarlog.c	2006-08-02 17:18:41.000000000 +0200
@@ -768,7 +768,19 @@ PixarLogDecode(TIFF* tif, tidata_t op, t
 	if (tif->tif_flags & TIFF_SWAB)
 		TIFFSwabArrayOfShort(up, nsamples);
 
-	for (i = 0; i < nsamples; i += llen, up += llen) {
+	/* 
+	 * if llen is not an exact multiple of nsamples, the decode operation
+	 * may overflow the output buffer, so truncate it enough to prevent that
+	 * but still salvage as much data as possible.
+	 * -- taviso@google.com 14th June 2006
+	 */
+	if (nsamples % llen) 
+		TIFFWarningExt(tif->tif_clientdata, module,
+				"%s: stride %lu is not a multiple of sample count, "
+				"%lu, data truncated.", tif->tif_name, llen, nsamples);
+				
+	
+	for (i = 0; i < nsamples - (nsamples % llen); i += llen, up += llen) {
 		switch (sp->user_datafmt)  {
 		case PIXARLOGDATAFMT_FLOAT:
 			horizontalAccumulateF(up, llen, sp->stride,
