8ca2e9
Upstream patch for CVE-2012-4564.
8ca2e9
8ca2e9
8ca2e9
diff -Naur tiff-3.9.4.orig/tools/ppm2tiff.c tiff-3.9.4/tools/ppm2tiff.c
8ca2e9
--- tiff-3.9.4.orig/tools/ppm2tiff.c	2010-06-08 14:50:44.000000000 -0400
8ca2e9
+++ tiff-3.9.4/tools/ppm2tiff.c	2012-12-10 16:16:05.154045877 -0500
8ca2e9
@@ -68,6 +68,17 @@
8ca2e9
 	exit(-2);
8ca2e9
 }
8ca2e9
 
8ca2e9
+static tsize_t
8ca2e9
+multiply_ms(tsize_t m1, tsize_t m2)
8ca2e9
+{
8ca2e9
+	tsize_t bytes = m1 * m2;
8ca2e9
+
8ca2e9
+	if (m1 && bytes / m1 != m2)
8ca2e9
+		bytes = 0;
8ca2e9
+
8ca2e9
+	return bytes;
8ca2e9
+}
8ca2e9
+
8ca2e9
 int
8ca2e9
 main(int argc, char* argv[])
8ca2e9
 {
8ca2e9
@@ -85,6 +96,7 @@
8ca2e9
 	int c;
8ca2e9
 	extern int optind;
8ca2e9
 	extern char* optarg;
8ca2e9
+	tsize_t scanline_size;
8ca2e9
 
8ca2e9
 	if (argc < 2) {
8ca2e9
 	    fprintf(stderr, "%s: Too few arguments\n", argv[0]);
8ca2e9
@@ -217,7 +229,8 @@
8ca2e9
 	}
8ca2e9
 	switch (bpp) {
8ca2e9
 		case 1:
8ca2e9
-			linebytes = (spp * w + (8 - 1)) / 8;
8ca2e9
+			/* if round-up overflows, result will be zero, OK */
8ca2e9
+			linebytes = (multiply_ms(spp, w) + (8 - 1)) / 8;
8ca2e9
 			if (rowsperstrip == (uint32) -1) {
8ca2e9
 				TIFFSetField(out, TIFFTAG_ROWSPERSTRIP, h);
8ca2e9
 			} else {
8ca2e9
@@ -226,15 +239,31 @@
8ca2e9
 			}
8ca2e9
 			break;
8ca2e9
 		case 8:
8ca2e9
-			linebytes = spp * w;
8ca2e9
+			linebytes = multiply_ms(spp, w);
8ca2e9
 			TIFFSetField(out, TIFFTAG_ROWSPERSTRIP,
8ca2e9
 			    TIFFDefaultStripSize(out, rowsperstrip));
8ca2e9
 			break;
8ca2e9
 	}
8ca2e9
-	if (TIFFScanlineSize(out) > linebytes)
8ca2e9
+	if (linebytes == 0) {
8ca2e9
+		fprintf(stderr, "%s: scanline size overflow\n", infile);
8ca2e9
+		(void) TIFFClose(out);
8ca2e9
+		exit(-2);					
8ca2e9
+	}
8ca2e9
+	scanline_size = TIFFScanlineSize(out);
8ca2e9
+	if (scanline_size == 0) {
8ca2e9
+		/* overflow - TIFFScanlineSize already printed a message */
8ca2e9
+		(void) TIFFClose(out);
8ca2e9
+		exit(-2);					
8ca2e9
+	}
8ca2e9
+	if (scanline_size < linebytes)
8ca2e9
 		buf = (unsigned char *)_TIFFmalloc(linebytes);
8ca2e9
 	else
8ca2e9
-		buf = (unsigned char *)_TIFFmalloc(TIFFScanlineSize(out));
8ca2e9
+		buf = (unsigned char *)_TIFFmalloc(scanline_size);
8ca2e9
+	if (buf == NULL) {
8ca2e9
+		fprintf(stderr, "%s: Not enough memory\n", infile);
8ca2e9
+		(void) TIFFClose(out);
8ca2e9
+		exit(-2);
8ca2e9
+	}
8ca2e9
 	if (resolution > 0) {
8ca2e9
 		TIFFSetField(out, TIFFTAG_XRESOLUTION, resolution);
8ca2e9
 		TIFFSetField(out, TIFFTAG_YRESOLUTION, resolution);