rpms / libtiff

Clone
Source Code
GIT

Blame SOURCES/libtiff-CVE-2014-9330.patch

c4 c5 c5-plus c6 c6-plus c7 c7-beta c8 c8-beta c8s c9 c9-beta
  1.   1ad9335dc0c1325262c62842eda01476243ec821
  2.   SOURCES
  3.   libtiff-CVE-2014-9330.patch
Blob History Raw
1ad933 
diff --git a/tools/bmp2tiff.c b/tools/bmp2tiff.c
1ad933 
index c66a8d2..b5ed30b 100644
1ad933 
--- a/tools/bmp2tiff.c
1ad933 
+++ b/tools/bmp2tiff.c
1ad933 
@@ -403,6 +403,14 @@ main(int argc, char* argv[])
1ad933
1ad933 
 		width = info_hdr.iWidth;
1ad933 
 		length = (info_hdr.iHeight > 0) ? info_hdr.iHeight : -info_hdr.iHeight;
1ad933 
+        if( width <= 0 || length <= 0 )
1ad933 
+        {
1ad933 
+            TIFFError(infilename,
1ad933 
+                  "Invalid dimensions of BMP file" );
1ad933 
+            close(fd);
1ad933 
+            return -1;
1ad933 
+        }
1ad933 
+
1ad933
1ad933 
 		switch (info_hdr.iBitCount)
1ad933 
 		{
1ad933 
@@ -593,6 +601,14 @@ main(int argc, char* argv[])
1ad933
1ad933 
 			compr_size = file_hdr.iSize - file_hdr.iOffBits;
1ad933 
 			uncompr_size = width * length;
1ad933 
+            /* Detect int overflow */
1ad933 
+            if( uncompr_size / width != length )
1ad933 
+            {
1ad933 
+                TIFFError(infilename,
1ad933 
+                    "Invalid dimensions of BMP file" );
1ad933 
+                close(fd);
1ad933 
+                return -1;
1ad933 
+            }
1ad933 
 			comprbuf = (unsigned char *) _TIFFmalloc( compr_size );
1ad933 
 			if (!comprbuf) {
1ad933 
 				TIFFError(infilename,

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation