|
 |
ccba1e |
From 55cd158269c43c83c23636dc9197816b3b359aa4 Mon Sep 17 00:00:00 2001
|
|
|
4d0001 |
From: Thomas Bernard <miniupnp@free.fr>
|
|
|
4d0001 |
Date: Sat, 14 Nov 2020 12:53:01 +0000
|
|
|
ccba1e |
Subject: [PATCH] (CVE-2020-35524) tiff2pdf.c: properly calculate datasize when
|
|
|
ccba1e |
saving to JPEG YCbCr
|
|
|
4d0001 |
|
|
|
4d0001 |
fixes #220
|
|
|
ccba1e |
|
|
|
ccba1e |
(cherry picked from commit 7be2e452ddcf6d7abca88f41d3761e6edab72b22)
|
|
|
4d0001 |
---
|
|
|
4d0001 |
tools/tiff2pdf.c | 14 +++++++++++---
|
|
|
4d0001 |
1 file changed, 11 insertions(+), 3 deletions(-)
|
|
|
4d0001 |
|
|
|
4d0001 |
diff --git a/tools/tiff2pdf.c b/tools/tiff2pdf.c
|
|
|
ccba1e |
index ff7b9c22..a5db1f64 100644
|
|
|
4d0001 |
--- a/tools/tiff2pdf.c
|
|
|
4d0001 |
+++ b/tools/tiff2pdf.c
|
|
|
4d0001 |
@@ -2049,9 +2049,17 @@ void t2p_read_tiff_size(T2P* t2p, TIFF* input){
|
|
|
4d0001 |
#endif
|
|
|
4d0001 |
(void) 0;
|
|
|
4d0001 |
}
|
|
|
4d0001 |
- k = checkMultiply64(TIFFScanlineSize(input), t2p->tiff_length, t2p);
|
|
|
4d0001 |
- if(t2p->tiff_planar==PLANARCONFIG_SEPARATE){
|
|
|
4d0001 |
- k = checkMultiply64(k, t2p->tiff_samplesperpixel, t2p);
|
|
|
4d0001 |
+#ifdef JPEG_SUPPORT
|
|
|
4d0001 |
+ if(t2p->pdf_compression == T2P_COMPRESS_JPEG
|
|
|
4d0001 |
+ && t2p->tiff_photometric == PHOTOMETRIC_YCBCR) {
|
|
|
4d0001 |
+ k = checkMultiply64(TIFFNumberOfStrips(input), TIFFStripSize(input), t2p);
|
|
|
4d0001 |
+ } else
|
|
|
4d0001 |
+#endif
|
|
|
4d0001 |
+ {
|
|
|
4d0001 |
+ k = checkMultiply64(TIFFScanlineSize(input), t2p->tiff_length, t2p);
|
|
|
4d0001 |
+ if(t2p->tiff_planar==PLANARCONFIG_SEPARATE){
|
|
|
4d0001 |
+ k = checkMultiply64(k, t2p->tiff_samplesperpixel, t2p);
|
|
|
4d0001 |
+ }
|
|
|
4d0001 |
}
|
|
|
4d0001 |
if (k == 0) {
|
|
|
4d0001 |
/* Assume we had overflow inside TIFFScanlineSize */
|