Blame SOURCES/libtiff-CVE-2015-8668.patch
|
|
460672 |
diff --git a/tools/bmp2tiff.c b/tools/bmp2tiff.c
|
|
|
460672 |
index 376f4e6..c747c13 100644
|
|
|
460672 |
--- a/tools/bmp2tiff.c
|
|
|
460672 |
+++ b/tools/bmp2tiff.c
|
|
|
460672 |
@@ -614,19 +614,27 @@ main(int argc, char* argv[])
|
|
|
460672 |
|| info_hdr.iCompression == BMPC_RLE4 ) {
|
|
|
460672 |
uint32 i, j, k, runlength;
|
|
|
460672 |
uint32 compr_size, uncompr_size;
|
|
|
460672 |
+ uint32 bits = 0;
|
|
|
460672 |
unsigned char *comprbuf;
|
|
|
460672 |
unsigned char *uncomprbuf;
|
|
|
460672 |
|
|
|
460672 |
compr_size = file_hdr.iSize - file_hdr.iOffBits;
|
|
|
460672 |
- uncompr_size = width * length;
|
|
|
460672 |
- /* Detect int overflow */
|
|
|
460672 |
- if( uncompr_size / width != length )
|
|
|
460672 |
- {
|
|
|
460672 |
- TIFFError(infilename,
|
|
|
460672 |
- "Invalid dimensions of BMP file" );
|
|
|
460672 |
- close(fd);
|
|
|
460672 |
- return -1;
|
|
|
460672 |
- }
|
|
|
460672 |
+
|
|
|
460672 |
+ bits = info_hdr.iBitCount;
|
|
|
460672 |
+
|
|
|
460672 |
+ if (bits > 8) // bit depth is > 8bit, adjust size
|
|
|
460672 |
+ {
|
|
|
460672 |
+ uncompr_size = width * length * (bits / 8);
|
|
|
460672 |
+ /* Detect int overflow */
|
|
|
460672 |
+ if (uncompr_size / width / (bits / 8) != length) {
|
|
|
460672 |
+ TIFFError(infilename,
|
|
|
460672 |
+ "Invalid dimensions of BMP file");
|
|
|
460672 |
+ close(fd);
|
|
|
460672 |
+ return -1;
|
|
|
460672 |
+ }
|
|
|
460672 |
+ }
|
|
|
460672 |
+ else
|
|
|
460672 |
+ uncompr_size = width * length;
|
|
|
460672 |
comprbuf = (unsigned char *) _TIFFmalloc( compr_size );
|
|
|
460672 |
if (!comprbuf) {
|
|
|
460672 |
TIFFError(infilename,
|