Blame SOURCES/libtiff-CVE-2012-4447.patch

bddd17
Upstream patch for CVE-2012-4447.
bddd17
bddd17
bddd17
diff -Naur tiff-4.0.3.orig/libtiff/tif_pixarlog.c tiff-4.0.3/libtiff/tif_pixarlog.c
bddd17
--- tiff-4.0.3.orig/libtiff/tif_pixarlog.c	2012-07-04 15:26:31.000000000 -0400
bddd17
+++ tiff-4.0.3/libtiff/tif_pixarlog.c	2012-12-12 16:43:18.931315699 -0500
bddd17
@@ -644,6 +644,20 @@
bddd17
 	return bytes;
bddd17
 }
bddd17
 
bddd17
+static tmsize_t
bddd17
+add_ms(tmsize_t m1, tmsize_t m2)
bddd17
+{
bddd17
+	tmsize_t bytes = m1 + m2;
bddd17
+
bddd17
+	/* if either input is zero, assume overflow already occurred */
bddd17
+	if (m1 == 0 || m2 == 0)
bddd17
+		bytes = 0;
bddd17
+	else if (bytes <= m1 || bytes <= m2)
bddd17
+		bytes = 0;
bddd17
+
bddd17
+	return bytes;
bddd17
+}
bddd17
+
bddd17
 static int
bddd17
 PixarLogFixupTags(TIFF* tif)
bddd17
 {
bddd17
@@ -671,9 +685,11 @@
bddd17
 	    td->td_samplesperpixel : 1);
bddd17
 	tbuf_size = multiply_ms(multiply_ms(multiply_ms(sp->stride, td->td_imagewidth),
bddd17
 				      td->td_rowsperstrip), sizeof(uint16));
bddd17
+	/* add one more stride in case input ends mid-stride */
bddd17
+	tbuf_size = add_ms(tbuf_size, sizeof(uint16) * sp->stride);
bddd17
 	if (tbuf_size == 0)
bddd17
 		return (0);   /* TODO: this is an error return without error report through TIFFErrorExt */
bddd17
-	sp->tbuf = (uint16 *) _TIFFmalloc(tbuf_size+sizeof(uint16)*sp->stride);
bddd17
+	sp->tbuf = (uint16 *) _TIFFmalloc(tbuf_size);
bddd17
 	if (sp->tbuf == NULL)
bddd17
 		return (0);
bddd17
 	if (sp->user_datafmt == PIXARLOGDATAFMT_UNKNOWN)