|
 |
bddd17 |
Upstream patch for CVE-2012-4564.
|
|
|
bddd17 |
|
|
|
bddd17 |
|
|
|
bddd17 |
diff -Naur tiff-4.0.3.orig/tools/ppm2tiff.c tiff-4.0.3/tools/ppm2tiff.c
|
|
|
bddd17 |
--- tiff-4.0.3.orig/tools/ppm2tiff.c 2010-04-10 15:22:34.000000000 -0400
|
|
|
bddd17 |
+++ tiff-4.0.3/tools/ppm2tiff.c 2012-12-12 16:43:18.932315708 -0500
|
|
|
bddd17 |
@@ -72,6 +72,17 @@
|
|
|
bddd17 |
exit(-2);
|
|
|
bddd17 |
}
|
|
|
bddd17 |
|
|
|
bddd17 |
+static tmsize_t
|
|
|
bddd17 |
+multiply_ms(tmsize_t m1, tmsize_t m2)
|
|
|
bddd17 |
+{
|
|
|
bddd17 |
+ tmsize_t bytes = m1 * m2;
|
|
|
bddd17 |
+
|
|
|
bddd17 |
+ if (m1 && bytes / m1 != m2)
|
|
|
bddd17 |
+ bytes = 0;
|
|
|
bddd17 |
+
|
|
|
bddd17 |
+ return bytes;
|
|
|
bddd17 |
+}
|
|
|
bddd17 |
+
|
|
|
bddd17 |
int
|
|
|
bddd17 |
main(int argc, char* argv[])
|
|
|
bddd17 |
{
|
|
|
bddd17 |
@@ -79,7 +90,7 @@
|
|
|
bddd17 |
uint32 rowsperstrip = (uint32) -1;
|
|
|
bddd17 |
double resolution = -1;
|
|
|
bddd17 |
unsigned char *buf = NULL;
|
|
|
bddd17 |
- tsize_t linebytes = 0;
|
|
|
bddd17 |
+ tmsize_t linebytes = 0;
|
|
|
bddd17 |
uint16 spp = 1;
|
|
|
bddd17 |
uint16 bpp = 8;
|
|
|
bddd17 |
TIFF *out;
|
|
|
bddd17 |
@@ -89,6 +100,7 @@
|
|
|
bddd17 |
int c;
|
|
|
bddd17 |
extern int optind;
|
|
|
bddd17 |
extern char* optarg;
|
|
|
bddd17 |
+ tmsize_t scanline_size;
|
|
|
bddd17 |
|
|
|
bddd17 |
if (argc < 2) {
|
|
|
bddd17 |
fprintf(stderr, "%s: Too few arguments\n", argv[0]);
|
|
|
bddd17 |
@@ -221,7 +233,8 @@
|
|
|
bddd17 |
}
|
|
|
bddd17 |
switch (bpp) {
|
|
|
bddd17 |
case 1:
|
|
|
bddd17 |
- linebytes = (spp * w + (8 - 1)) / 8;
|
|
|
bddd17 |
+ /* if round-up overflows, result will be zero, OK */
|
|
|
bddd17 |
+ linebytes = (multiply_ms(spp, w) + (8 - 1)) / 8;
|
|
|
bddd17 |
if (rowsperstrip == (uint32) -1) {
|
|
|
bddd17 |
TIFFSetField(out, TIFFTAG_ROWSPERSTRIP, h);
|
|
|
bddd17 |
} else {
|
|
|
bddd17 |
@@ -230,15 +243,31 @@
|
|
|
bddd17 |
}
|
|
|
bddd17 |
break;
|
|
|
bddd17 |
case 8:
|
|
|
bddd17 |
- linebytes = spp * w;
|
|
|
bddd17 |
+ linebytes = multiply_ms(spp, w);
|
|
|
bddd17 |
TIFFSetField(out, TIFFTAG_ROWSPERSTRIP,
|
|
|
bddd17 |
TIFFDefaultStripSize(out, rowsperstrip));
|
|
|
bddd17 |
break;
|
|
|
bddd17 |
}
|
|
|
bddd17 |
- if (TIFFScanlineSize(out) > linebytes)
|
|
|
bddd17 |
+ if (linebytes == 0) {
|
|
|
bddd17 |
+ fprintf(stderr, "%s: scanline size overflow\n", infile);
|
|
|
bddd17 |
+ (void) TIFFClose(out);
|
|
|
bddd17 |
+ exit(-2);
|
|
|
bddd17 |
+ }
|
|
|
bddd17 |
+ scanline_size = TIFFScanlineSize(out);
|
|
|
bddd17 |
+ if (scanline_size == 0) {
|
|
|
bddd17 |
+ /* overflow - TIFFScanlineSize already printed a message */
|
|
|
bddd17 |
+ (void) TIFFClose(out);
|
|
|
bddd17 |
+ exit(-2);
|
|
|
bddd17 |
+ }
|
|
|
bddd17 |
+ if (scanline_size < linebytes)
|
|
|
bddd17 |
buf = (unsigned char *)_TIFFmalloc(linebytes);
|
|
|
bddd17 |
else
|
|
|
bddd17 |
- buf = (unsigned char *)_TIFFmalloc(TIFFScanlineSize(out));
|
|
|
bddd17 |
+ buf = (unsigned char *)_TIFFmalloc(scanline_size);
|
|
|
bddd17 |
+ if (buf == NULL) {
|
|
|
bddd17 |
+ fprintf(stderr, "%s: Not enough memory\n", infile);
|
|
|
bddd17 |
+ (void) TIFFClose(out);
|
|
|
bddd17 |
+ exit(-2);
|
|
|
bddd17 |
+ }
|
|
|
bddd17 |
if (resolution > 0) {
|
|
|
bddd17 |
TIFFSetField(out, TIFFTAG_XRESOLUTION, resolution);
|
|
|
bddd17 |
TIFFSetField(out, TIFFTAG_YRESOLUTION, resolution);
|