Upstream patch for CVE-2012-4447.

diff -Naur tiff-4.0.3.orig/libtiff/tif_pixarlog.c tiff-4.0.3/libtiff/tif_pixarlog.c

--- tiff-4.0.3.orig/libtiff/tif_pixarlog.c	2012-07-04 15:26:31.000000000 -0400

+++ tiff-4.0.3/libtiff/tif_pixarlog.c	2012-12-12 16:43:18.931315699 -0500

@@ -644,6 +644,20 @@

 	return bytes;

 }

+static tmsize_t

+add_ms(tmsize_t m1, tmsize_t m2)

+{

+	tmsize_t bytes = m1 + m2;

+

+	/* if either input is zero, assume overflow already occurred */

+	if (m1 == 0 || m2 == 0)

+		bytes = 0;

+	else if (bytes <= m1 || bytes <= m2)

+		bytes = 0;

+

+	return bytes;

+}

+

 static int

 PixarLogFixupTags(TIFF* tif)

 {

@@ -671,9 +685,11 @@

 	    td->td_samplesperpixel : 1);

 	tbuf_size = multiply_ms(multiply_ms(multiply_ms(sp->stride, td->td_imagewidth),

 				      td->td_rowsperstrip), sizeof(uint16));

+	/* add one more stride in case input ends mid-stride */

+	tbuf_size = add_ms(tbuf_size, sizeof(uint16) * sp->stride);

 	if (tbuf_size == 0)

 		return (0);   /* TODO: this is an error return without error report through TIFFErrorExt */

-	sp->tbuf = (uint16 *) _TIFFmalloc(tbuf_size+sizeof(uint16)*sp->stride);

+	sp->tbuf = (uint16 *) _TIFFmalloc(tbuf_size);

 	if (sp->tbuf == NULL)

 		return (0);

 	if (sp->user_datafmt == PIXARLOGDATAFMT_UNKNOWN)