From 5f3ae40bcaf5518aae18eedc90cd9b326d7bd640 Mon Sep 17 00:00:00 2001

From: =?UTF-8?q?Nikola=20Forr=C3=B3?= <nforro@redhat.com>

Date: Mon, 11 Jul 2016 16:54:49 +0200

Subject: [PATCH 8/8] Fix CVE-2016-5320

---

 libtiff/tif_pixarlog.c | 8 +++++++-

 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/libtiff/tif_pixarlog.c b/libtiff/tif_pixarlog.c

index c9f056e..c961529 100644

--- a/libtiff/tif_pixarlog.c

+++ b/libtiff/tif_pixarlog.c

@@ -462,7 +462,7 @@ typedef	struct {

 	int			state;

 	int			user_datafmt;

 	int			quality;

-	tsize_t			tbuf_size;

+	tmsize_t	tbuf_size;

 #define PLSTATE_INIT 1

 	TIFFVSetMethod		vgetparent;	/* super-class method */

@@ -691,6 +691,7 @@ PixarLogSetupDecode(TIFF* tif)

 	if (tbuf_size == 0)

 		return (0);   /* TODO: this is an error return without error report through TIFFErrorExt */

 	sp->tbuf = (uint16 *) _TIFFmalloc(tbuf_size);

+	sp->tbuf_size = tbuf_size;

 	if (sp->tbuf == NULL)

 		return (0);

 	if (sp->user_datafmt == PIXARLOGDATAFMT_UNKNOWN)

@@ -782,6 +783,11 @@ PixarLogDecode(TIFF* tif, uint8* op, tmsize_t occ, uint16 s)

 		TIFFErrorExt(tif->tif_clientdata, module, "ZLib cannot deal with buffers this size");

 		return (0);

 	}

+	if (sp->stream.avail_out > sp->tbuf_size)

+	{

+		TIFFErrorExt(tif->tif_clientdata, module, "Error within the calculation of ZLib buffer size");

+		return (0);

+	}

 	do {

 		int state = inflate(&sp->stream, Z_PARTIAL_FLUSH);

 		if (state == Z_STREAM_END) {

-- 

2.7.4