|
 |
edc570 |
From a7786e10d1bab22f34322e6e711b93b377d6155e Mon Sep 17 00:00:00 2001
|
|
|
be5c2d |
From: Thomas Bernard <miniupnp@free.fr>
|
|
|
be5c2d |
Date: Tue, 10 Nov 2020 01:54:30 +0100
|
|
|
edc570 |
Subject: [PATCH] (CVE-2020-35523) gtTileContig(): check Tile width for
|
|
|
edc570 |
overflow
|
|
|
be5c2d |
|
|
|
be5c2d |
fixes #211
|
|
|
edc570 |
|
|
|
edc570 |
(cherry picked from commit c8d613ef497058fe653c467fc84c70a62a4a71b2)
|
|
|
be5c2d |
---
|
|
|
be5c2d |
libtiff/tif_getimage.c | 17 +++++++++++++----
|
|
|
be5c2d |
1 file changed, 13 insertions(+), 4 deletions(-)
|
|
|
be5c2d |
|
|
|
be5c2d |
diff --git a/libtiff/tif_getimage.c b/libtiff/tif_getimage.c
|
|
|
edc570 |
index c6edd27c..b1f7cc95 100644
|
|
|
be5c2d |
--- a/libtiff/tif_getimage.c
|
|
|
be5c2d |
+++ b/libtiff/tif_getimage.c
|
|
|
be5c2d |
@@ -31,6 +31,7 @@
|
|
|
be5c2d |
*/
|
|
|
be5c2d |
#include "tiffiop.h"
|
|
|
be5c2d |
#include <stdio.h>
|
|
|
be5c2d |
+#include <limits.h>
|
|
|
be5c2d |
|
|
|
be5c2d |
static int gtTileContig(TIFFRGBAImage*, uint32*, uint32, uint32);
|
|
|
be5c2d |
static int gtTileSeparate(TIFFRGBAImage*, uint32*, uint32, uint32);
|
|
|
be5c2d |
@@ -647,12 +648,20 @@ gtTileContig(TIFFRGBAImage* img, uint32* raster, uint32 w, uint32 h)
|
|
|
be5c2d |
|
|
|
be5c2d |
flip = setorientation(img);
|
|
|
be5c2d |
if (flip & FLIP_VERTICALLY) {
|
|
|
be5c2d |
- y = h - 1;
|
|
|
be5c2d |
- toskew = -(int32)(tw + w);
|
|
|
be5c2d |
+ if ((tw + w) > INT_MAX) {
|
|
|
be5c2d |
+ TIFFErrorExt(tif->tif_clientdata, TIFFFileName(tif), "%s", "unsupported tile size (too wide)");
|
|
|
be5c2d |
+ return (0);
|
|
|
be5c2d |
+ }
|
|
|
be5c2d |
+ y = h - 1;
|
|
|
be5c2d |
+ toskew = -(int32)(tw + w);
|
|
|
be5c2d |
}
|
|
|
be5c2d |
else {
|
|
|
be5c2d |
- y = 0;
|
|
|
be5c2d |
- toskew = -(int32)(tw - w);
|
|
|
be5c2d |
+ if (tw > (INT_MAX + w)) {
|
|
|
be5c2d |
+ TIFFErrorExt(tif->tif_clientdata, TIFFFileName(tif), "%s", "unsupported tile size (too wide)");
|
|
|
be5c2d |
+ return (0);
|
|
|
be5c2d |
+ }
|
|
|
be5c2d |
+ y = 0;
|
|
|
be5c2d |
+ toskew = -(int32)(tw - w);
|
|
|
be5c2d |
}
|
|
|
be5c2d |
|
|
|
be5c2d |
/*
|
|
|
be5c2d |
--
|
|
|
edc570 |
2.34.1
|
|
|
be5c2d |
|