Upstream patch for CVE-2012-4564.

diff -Naur tiff-3.9.4.orig/tools/ppm2tiff.c tiff-3.9.4/tools/ppm2tiff.c

--- tiff-3.9.4.orig/tools/ppm2tiff.c	2010-06-08 14:50:44.000000000 -0400

+++ tiff-3.9.4/tools/ppm2tiff.c	2012-12-10 16:16:05.154045877 -0500

@@ -68,6 +68,17 @@

 	exit(-2);

 }

+static tsize_t

+multiply_ms(tsize_t m1, tsize_t m2)

+{

+	tsize_t bytes = m1 * m2;

+

+	if (m1 && bytes / m1 != m2)

+		bytes = 0;

+

+	return bytes;

+}

+

 int

 main(int argc, char* argv[])

 {

@@ -85,6 +96,7 @@

 	int c;

 	extern int optind;

 	extern char* optarg;

+	tsize_t scanline_size;

 	if (argc < 2) {

 	    fprintf(stderr, "%s: Too few arguments\n", argv[0]);

@@ -217,7 +229,8 @@

 	}

 	switch (bpp) {

 		case 1:

-			linebytes = (spp * w + (8 - 1)) / 8;

+			/* if round-up overflows, result will be zero, OK */

+			linebytes = (multiply_ms(spp, w) + (8 - 1)) / 8;

 			if (rowsperstrip == (uint32) -1) {

 				TIFFSetField(out, TIFFTAG_ROWSPERSTRIP, h);

 			} else {

@@ -226,15 +239,31 @@

 			}

 			break;

 		case 8:

-			linebytes = spp * w;

+			linebytes = multiply_ms(spp, w);

 			TIFFSetField(out, TIFFTAG_ROWSPERSTRIP,

 			    TIFFDefaultStripSize(out, rowsperstrip));

 			break;

 	}

-	if (TIFFScanlineSize(out) > linebytes)

+	if (linebytes == 0) {

+		fprintf(stderr, "%s: scanline size overflow\n", infile);

+		(void) TIFFClose(out);

+		exit(-2);					

+	}

+	scanline_size = TIFFScanlineSize(out);

+	if (scanline_size == 0) {

+		/* overflow - TIFFScanlineSize already printed a message */

+		(void) TIFFClose(out);

+		exit(-2);					

+	}

+	if (scanline_size < linebytes)

 		buf = (unsigned char *)_TIFFmalloc(linebytes);

 	else

-		buf = (unsigned char *)_TIFFmalloc(TIFFScanlineSize(out));

+		buf = (unsigned char *)_TIFFmalloc(scanline_size);

+	if (buf == NULL) {

+		fprintf(stderr, "%s: Not enough memory\n", infile);

+		(void) TIFFClose(out);

+		exit(-2);

+	}

 	if (resolution > 0) {

 		TIFFSetField(out, TIFFTAG_XRESOLUTION, resolution);

 		TIFFSetField(out, TIFFTAG_YRESOLUTION, resolution);