|
 |
1ad933 |
From a9bb0f1406e9da35da4da13eabacb00d9cc2efcb Mon Sep 17 00:00:00 2001
|
|
|
1ad933 |
From: =?UTF-8?q?Nikola=20Forr=C3=B3?= <nforro@redhat.com>
|
|
|
1ad933 |
Date: Mon, 11 Jul 2016 16:05:49 +0200
|
|
|
1ad933 |
Subject: [PATCH 5/8] Fix CVE-2016-3945
|
|
|
1ad933 |
|
|
|
1ad933 |
---
|
|
|
1ad933 |
tools/tiff2rgba.c | 34 ++++++++++++++++++++++++++++++----
|
|
|
1ad933 |
1 file changed, 30 insertions(+), 4 deletions(-)
|
|
|
1ad933 |
|
|
|
1ad933 |
diff --git a/tools/tiff2rgba.c b/tools/tiff2rgba.c
|
|
|
1ad933 |
index 737167c..5228966 100644
|
|
|
1ad933 |
--- a/tools/tiff2rgba.c
|
|
|
1ad933 |
+++ b/tools/tiff2rgba.c
|
|
|
1ad933 |
@@ -145,6 +145,7 @@ cvt_by_tile( TIFF *in, TIFF *out )
|
|
|
1ad933 |
uint32 row, col;
|
|
|
1ad933 |
uint32 *wrk_line;
|
|
|
1ad933 |
int ok = 1;
|
|
|
1ad933 |
+ uint32 rastersize, wrk_linesize;
|
|
|
1ad933 |
|
|
|
1ad933 |
TIFFGetField(in, TIFFTAG_IMAGEWIDTH, &width);
|
|
|
1ad933 |
TIFFGetField(in, TIFFTAG_IMAGELENGTH, &height);
|
|
|
1ad933 |
@@ -161,7 +162,13 @@ cvt_by_tile( TIFF *in, TIFF *out )
|
|
|
1ad933 |
/*
|
|
|
1ad933 |
* Allocate tile buffer
|
|
|
1ad933 |
*/
|
|
|
1ad933 |
- raster = (uint32*)_TIFFmalloc(tile_width * tile_height * sizeof (uint32));
|
|
|
1ad933 |
+ rastersize = tile_width * tile_height * sizeof (uint32);
|
|
|
1ad933 |
+ if (width != (tile_width / tile_height) / sizeof( uint32))
|
|
|
1ad933 |
+ {
|
|
|
1ad933 |
+ TIFFError(TIFFFileName(in), "Integer overflow when calculating raster buffer");
|
|
|
1ad933 |
+ exit(-1);
|
|
|
1ad933 |
+ }
|
|
|
1ad933 |
+ raster = (uint32*)_TIFFmalloc(rastersize);
|
|
|
1ad933 |
if (raster == 0) {
|
|
|
1ad933 |
TIFFError(TIFFFileName(in), "No space for raster buffer");
|
|
|
1ad933 |
return (0);
|
|
|
1ad933 |
@@ -171,7 +178,13 @@ cvt_by_tile( TIFF *in, TIFF *out )
|
|
|
1ad933 |
* Allocate a scanline buffer for swapping during the vertical
|
|
|
1ad933 |
* mirroring pass.
|
|
|
1ad933 |
*/
|
|
|
1ad933 |
- wrk_line = (uint32*)_TIFFmalloc(tile_width * sizeof (uint32));
|
|
|
1ad933 |
+ wrk_linesize = tile_width * sizeof (uint32);
|
|
|
1ad933 |
+ if (wrk_linesize != tile_width / sizeof (uint32))
|
|
|
1ad933 |
+ {
|
|
|
1ad933 |
+ TIFFError(TIFFFileName(in), "Integer overflow when calculating wrk_line buffer");
|
|
|
1ad933 |
+ exit(-1);
|
|
|
1ad933 |
+ }
|
|
|
1ad933 |
+ wrk_line = (uint32*)_TIFFmalloc(wrk_linesize);
|
|
|
1ad933 |
if (!wrk_line) {
|
|
|
1ad933 |
TIFFError(TIFFFileName(in), "No space for raster scanline buffer");
|
|
|
1ad933 |
ok = 0;
|
|
|
1ad933 |
@@ -247,6 +260,7 @@ cvt_by_strip( TIFF *in, TIFF *out )
|
|
|
1ad933 |
uint32 row;
|
|
|
1ad933 |
uint32 *wrk_line;
|
|
|
1ad933 |
int ok = 1;
|
|
|
1ad933 |
+ uint32 rastersize, wrk_linesize;
|
|
|
1ad933 |
|
|
|
1ad933 |
TIFFGetField(in, TIFFTAG_IMAGEWIDTH, &width);
|
|
|
1ad933 |
TIFFGetField(in, TIFFTAG_IMAGELENGTH, &height);
|
|
|
1ad933 |
@@ -261,7 +275,13 @@ cvt_by_strip( TIFF *in, TIFF *out )
|
|
|
1ad933 |
/*
|
|
|
1ad933 |
* Allocate strip buffer
|
|
|
1ad933 |
*/
|
|
|
1ad933 |
- raster = (uint32*)_TIFFmalloc(width * rowsperstrip * sizeof (uint32));
|
|
|
1ad933 |
+ rastersize = width * rowsperstrip * sizeof (uint32);
|
|
|
1ad933 |
+ if (width != (rastersize / rowsperstrip) / sizeof( uint32))
|
|
|
1ad933 |
+ {
|
|
|
1ad933 |
+ TIFFError(TIFFFileName(in), "Integer overflow when calculating raster buffer");
|
|
|
1ad933 |
+ exit(-1);
|
|
|
1ad933 |
+ }
|
|
|
1ad933 |
+ raster = (uint32*)_TIFFmalloc(rastersize);
|
|
|
1ad933 |
if (raster == 0) {
|
|
|
1ad933 |
TIFFError(TIFFFileName(in), "No space for raster buffer");
|
|
|
1ad933 |
return (0);
|
|
|
1ad933 |
@@ -271,7 +291,13 @@ cvt_by_strip( TIFF *in, TIFF *out )
|
|
|
1ad933 |
* Allocate a scanline buffer for swapping during the vertical
|
|
|
1ad933 |
* mirroring pass.
|
|
|
1ad933 |
*/
|
|
|
1ad933 |
- wrk_line = (uint32*)_TIFFmalloc(width * sizeof (uint32));
|
|
|
1ad933 |
+ wrk_linesize = width * sizeof (uint32);
|
|
|
1ad933 |
+ if (wrk_linesize != width / sizeof (uint32))
|
|
|
1ad933 |
+ {
|
|
|
1ad933 |
+ TIFFError(TIFFFileName(in), "Integer overflow when calculating wrk_line buffer");
|
|
|
1ad933 |
+ exit(-1);
|
|
|
1ad933 |
+ }
|
|
|
1ad933 |
+ wrk_line = (uint32*)_TIFFmalloc(wrk_linesize);
|
|
|
1ad933 |
if (!wrk_line) {
|
|
|
1ad933 |
TIFFError(TIFFFileName(in), "No space for raster scanline buffer");
|
|
|
1ad933 |
ok = 0;
|
|
|
1ad933 |
--
|
|
|
1ad933 |
2.7.4
|
|
|
1ad933 |
|