rpms / libtiff

Clone
Source Code
GIT

Blame SOURCES/libtiff-CVE-2012-4564.patch

c4 c5 c5-plus c6 c6-plus c7 c7-beta c8 c8-beta c8s c9 c9-beta
  1.   f135ac6e64af9bdc093bd82a0d952a6037fbc0b0
  2.   SOURCES
  3.   libtiff-CVE-2012-4564.patch
Blob History Raw
460672 
Upstream patch for CVE-2012-4564.
460672
460672
460672 
diff -Naur tiff-4.0.3.orig/tools/ppm2tiff.c tiff-4.0.3/tools/ppm2tiff.c
460672 
--- tiff-4.0.3.orig/tools/ppm2tiff.c	2010-04-10 15:22:34.000000000 -0400
460672 
+++ tiff-4.0.3/tools/ppm2tiff.c	2012-12-12 16:43:18.932315708 -0500
460672 
@@ -72,6 +72,17 @@
460672 
 	exit(-2);
460672 
 }
460672
460672 
+static tmsize_t
460672 
+multiply_ms(tmsize_t m1, tmsize_t m2)
460672 
+{
460672 
+	tmsize_t bytes = m1 * m2;
460672 
+
460672 
+	if (m1 && bytes / m1 != m2)
460672 
+		bytes = 0;
460672 
+
460672 
+	return bytes;
460672 
+}
460672 
+
460672 
 int
460672 
 main(int argc, char* argv[])
460672 
 {
460672 
@@ -79,7 +90,7 @@
460672 
 	uint32 rowsperstrip = (uint32) -1;
460672 
 	double resolution = -1;
460672 
 	unsigned char *buf = NULL;
460672 
-	tsize_t linebytes = 0;
460672 
+	tmsize_t linebytes = 0;
460672 
 	uint16 spp = 1;
460672 
 	uint16 bpp = 8;
460672 
 	TIFF *out;
460672 
@@ -89,6 +100,7 @@
460672 
 	int c;
460672 
 	extern int optind;
460672 
 	extern char* optarg;
460672 
+	tmsize_t scanline_size;
460672
460672 
 	if (argc < 2) {
460672 
 	    fprintf(stderr, "%s: Too few arguments\n", argv[0]);
460672 
@@ -221,7 +233,8 @@
460672 
 	}
460672 
 	switch (bpp) {
460672 
 		case 1:
460672 
-			linebytes = (spp * w + (8 - 1)) / 8;
460672 
+			/* if round-up overflows, result will be zero, OK */
460672 
+			linebytes = (multiply_ms(spp, w) + (8 - 1)) / 8;
460672 
 			if (rowsperstrip == (uint32) -1) {
460672 
 				TIFFSetField(out, TIFFTAG_ROWSPERSTRIP, h);
460672 
 			} else {
460672 
@@ -230,15 +243,31 @@
460672 
 			}
460672 
 			break;
460672 
 		case 8:
460672 
-			linebytes = spp * w;
460672 
+			linebytes = multiply_ms(spp, w);
460672 
 			TIFFSetField(out, TIFFTAG_ROWSPERSTRIP,
460672 
 			    TIFFDefaultStripSize(out, rowsperstrip));
460672 
 			break;
460672 
 	}
460672 
-	if (TIFFScanlineSize(out) > linebytes)
460672 
+	if (linebytes == 0) {
460672 
+		fprintf(stderr, "%s: scanline size overflow\n", infile);
460672 
+		(void) TIFFClose(out);
460672 
+		exit(-2);
460672 
+	}
460672 
+	scanline_size = TIFFScanlineSize(out);
460672 
+	if (scanline_size == 0) {
460672 
+		/* overflow - TIFFScanlineSize already printed a message */
460672 
+		(void) TIFFClose(out);
460672 
+		exit(-2);
460672 
+	}
460672 
+	if (scanline_size < linebytes)
460672 
 		buf = (unsigned char *)_TIFFmalloc(linebytes);
460672 
 	else
460672 
-		buf = (unsigned char *)_TIFFmalloc(TIFFScanlineSize(out));
460672 
+		buf = (unsigned char *)_TIFFmalloc(scanline_size);
460672 
+	if (buf == NULL) {
460672 
+		fprintf(stderr, "%s: Not enough memory\n", infile);
460672 
+		(void) TIFFClose(out);
460672 
+		exit(-2);
460672 
+	}
460672 
 	if (resolution > 0) {
460672 
 		TIFFSetField(out, TIFFTAG_XRESOLUTION, resolution);
460672 
 		TIFFSetField(out, TIFFTAG_YRESOLUTION, resolution);

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation