From a9bb0f1406e9da35da4da13eabacb00d9cc2efcb Mon Sep 17 00:00:00 2001

From: =?UTF-8?q?Nikola=20Forr=C3=B3?= <nforro@redhat.com>

Date: Mon, 11 Jul 2016 16:05:49 +0200

Subject: [PATCH 5/8] Fix CVE-2016-3945

---

 tools/tiff2rgba.c | 34 ++++++++++++++++++++++++++++++----

 1 file changed, 30 insertions(+), 4 deletions(-)

diff --git a/tools/tiff2rgba.c b/tools/tiff2rgba.c

index 737167c..5228966 100644

--- a/tools/tiff2rgba.c

+++ b/tools/tiff2rgba.c

@@ -145,6 +145,7 @@ cvt_by_tile( TIFF *in, TIFF *out )

     uint32  row, col;

     uint32  *wrk_line;

     int	    ok = 1;

+    uint32  rastersize, wrk_linesize;

     TIFFGetField(in, TIFFTAG_IMAGEWIDTH, &width);

     TIFFGetField(in, TIFFTAG_IMAGELENGTH, &height);

@@ -161,7 +162,13 @@ cvt_by_tile( TIFF *in, TIFF *out )

     /*

      * Allocate tile buffer

      */

-    raster = (uint32*)_TIFFmalloc(tile_width * tile_height * sizeof (uint32));

+    rastersize = tile_width * tile_height * sizeof (uint32);

+    if (width != (tile_width / tile_height) / sizeof( uint32))

+    {

+	TIFFError(TIFFFileName(in), "Integer overflow when calculating raster buffer");

+	exit(-1);

+    }

+    raster = (uint32*)_TIFFmalloc(rastersize);

     if (raster == 0) {

         TIFFError(TIFFFileName(in), "No space for raster buffer");

         return (0);

@@ -171,7 +178,13 @@ cvt_by_tile( TIFF *in, TIFF *out )

      * Allocate a scanline buffer for swapping during the vertical

      * mirroring pass.

      */

-    wrk_line = (uint32*)_TIFFmalloc(tile_width * sizeof (uint32));

+    wrk_linesize = tile_width * sizeof (uint32);

+    if (wrk_linesize != tile_width / sizeof (uint32))

+    {

+        TIFFError(TIFFFileName(in), "Integer overflow when calculating wrk_line buffer");

+	exit(-1);

+    }

+    wrk_line = (uint32*)_TIFFmalloc(wrk_linesize);

     if (!wrk_line) {

         TIFFError(TIFFFileName(in), "No space for raster scanline buffer");

         ok = 0;

@@ -247,6 +260,7 @@ cvt_by_strip( TIFF *in, TIFF *out )

     uint32  row;

     uint32  *wrk_line;

     int	    ok = 1;

+    uint32  rastersize, wrk_linesize;

     TIFFGetField(in, TIFFTAG_IMAGEWIDTH, &width);

     TIFFGetField(in, TIFFTAG_IMAGELENGTH, &height);

@@ -261,7 +275,13 @@ cvt_by_strip( TIFF *in, TIFF *out )

     /*

      * Allocate strip buffer

      */

-    raster = (uint32*)_TIFFmalloc(width * rowsperstrip * sizeof (uint32));

+    rastersize = width * rowsperstrip * sizeof (uint32);

+    if (width != (rastersize / rowsperstrip) / sizeof( uint32))

+    {

+	TIFFError(TIFFFileName(in), "Integer overflow when calculating raster buffer");

+	exit(-1);

+    }

+    raster = (uint32*)_TIFFmalloc(rastersize);

     if (raster == 0) {

         TIFFError(TIFFFileName(in), "No space for raster buffer");

         return (0);

@@ -271,7 +291,13 @@ cvt_by_strip( TIFF *in, TIFF *out )

      * Allocate a scanline buffer for swapping during the vertical

      * mirroring pass.

      */

-    wrk_line = (uint32*)_TIFFmalloc(width * sizeof (uint32));

+    wrk_linesize = width * sizeof (uint32);

+    if (wrk_linesize != width / sizeof (uint32))

+    {

+        TIFFError(TIFFFileName(in), "Integer overflow when calculating wrk_line buffer");

+	exit(-1);

+    }

+    wrk_line = (uint32*)_TIFFmalloc(wrk_linesize);

     if (!wrk_line) {

         TIFFError(TIFFFileName(in), "No space for raster scanline buffer");

         ok = 0;

-- 

2.7.4