Blame SOURCES/0014-CVE-2018-12900-check-that-Tile-Width-Samples-Pixel-d.patch

ccba1e
From 98e37a5c822bdfed2343e6ab9d03680e85783aef Mon Sep 17 00:00:00 2001
b03815
From: Thomas Bernard <miniupnp@free.fr>
b03815
Date: Mon, 11 Feb 2019 10:05:33 +0100
ccba1e
Subject: [PATCH] (CVE-2018-12900) check that (Tile Width)*(Samples/Pixel) do
ccba1e
 no overflow
b03815
b03815
fixes bug 2833
ccba1e
ccba1e
(cherry picked from commit 2b0d0e699730d1f26bbeba8397bfdf0e9e01e59d)
b03815
---
b03815
 tools/tiffcp.c | 9 ++++++++-
b03815
 1 file changed, 8 insertions(+), 1 deletion(-)
b03815
b03815
diff --git a/tools/tiffcp.c b/tools/tiffcp.c
ccba1e
index 489459a7..96f14728 100644
b03815
--- a/tools/tiffcp.c
b03815
+++ b/tools/tiffcp.c
b03815
@@ -43,6 +43,7 @@
b03815
 #include <stdio.h>
b03815
 #include <stdlib.h>
b03815
 #include <string.h>
b03815
+#include <limits.h>
b03815
 
b03815
 #include <ctype.h>
b03815
 
b03815
@@ -1391,7 +1392,7 @@ DECLAREreadFunc(readSeparateTilesIntoBuffer)
b03815
 	int status = 1;
b03815
 	uint32 imagew = TIFFRasterScanlineSize(in);
b03815
 	uint32 tilew = TIFFTileRowSize(in);
b03815
-	int iskew  = imagew - tilew*spp;
b03815
+	int iskew;
b03815
 	tsize_t tilesize = TIFFTileSize(in);
b03815
 	tdata_t tilebuf;
b03815
 	uint8* bufp = (uint8*) buf;
b03815
@@ -1399,6 +1400,12 @@ DECLAREreadFunc(readSeparateTilesIntoBuffer)
b03815
 	uint32 row;
b03815
 	uint16 bps = 0, bytes_per_sample;
b03815
 
b03815
+	if (tilew && spp > (INT_MAX / tilew))
b03815
+	{
b03815
+		TIFFError(TIFFFileName(in), "Error, cannot handle that much samples per tile row (Tile Width * Samples/Pixel)");
b03815
+		return 0;
b03815
+	}
b03815
+	iskew = imagew - tilew*spp;
b03815
 	tilebuf = _TIFFmalloc(tilesize);
b03815
 	if (tilebuf == 0)
b03815
 		return 0;