$OpenBSD: patch-libtiff_tif_next_c,v 1.3 2008/10/25 09:39:29 naddy Exp $

CVE-2006-3462

--- libtiff/tif_next.c.orig	Wed Dec 21 13:33:56 2005
+++ libtiff/tif_next.c	Fri Oct 24 18:54:53 2008
@@ -105,11 +105,16 @@ NeXTDecode(TIFF* tif, tidata_t buf, tsize_t occ, tsamp
 			 * as codes of the form <color><npixels>
 			 * until we've filled the scanline.
 			 */
+			/*
+			 * Ensure the run does not exceed the scanline
+			 * bounds, potentially resulting in a security issue.
+			 * -- taviso@google.com 14 Jun 2006.
+			 */
 			op = row;
 			for (;;) {
 				grey = (n>>6) & 0x3;
 				n &= 0x3f;
-				while (n-- > 0)
+				while (n-- > 0 && npixels < imagewidth)
 					SETPIXEL(op, grey);
 				if (npixels >= (int) imagewidth)
 					break;
