|
 |
3528ec |
From 12f57b64abecdb610aee44b70d2379c301ce5b09 Mon Sep 17 00:00:00 2001
|
|
|
3528ec |
From: Even Rouault <even.rouault@spatialys.com>
|
|
|
3528ec |
Date: Wed, 15 Aug 2018 16:34:40 +0200
|
|
|
3528ec |
Subject: [PATCH 04/10] TIFFSetupStrips(): avoid potential uint32 overflow on
|
|
|
3528ec |
32-bit systems with large number of strips. Probably relates to
|
|
|
3528ec |
http://bugzilla.maptools.org/show_bug.cgi?id=2788 / CVE-2018-10779
|
|
|
3528ec |
|
|
|
3528ec |
---
|
|
|
3528ec |
libtiff/tif_write.c | 6 ++++--
|
|
|
3528ec |
1 file changed, 4 insertions(+), 2 deletions(-)
|
|
|
3528ec |
|
|
|
3528ec |
diff --git a/libtiff/tif_write.c b/libtiff/tif_write.c
|
|
|
3528ec |
index ce671af..c7c29a5 100644
|
|
|
3528ec |
--- a/libtiff/tif_write.c
|
|
|
3528ec |
+++ b/libtiff/tif_write.c
|
|
|
3528ec |
@@ -484,9 +484,11 @@ TIFFSetupStrips(TIFF* tif)
|
|
|
3528ec |
if (td->td_planarconfig == PLANARCONFIG_SEPARATE)
|
|
|
3528ec |
td->td_stripsperimage /= td->td_samplesperpixel;
|
|
|
3528ec |
td->td_stripoffset = (uint64 *)
|
|
|
3528ec |
- _TIFFmalloc(td->td_nstrips * sizeof (uint64));
|
|
|
3528ec |
+ _TIFFCheckMalloc(tif, td->td_nstrips, sizeof (uint64),
|
|
|
3528ec |
+ "for \"StripOffsets\" array");
|
|
|
3528ec |
td->td_stripbytecount = (uint64 *)
|
|
|
3528ec |
- _TIFFmalloc(td->td_nstrips * sizeof (uint64));
|
|
|
3528ec |
+ _TIFFCheckMalloc(tif, td->td_nstrips, sizeof (uint64),
|
|
|
3528ec |
+ "for \"StripByteCounts\" array");
|
|
|
3528ec |
if (td->td_stripoffset == NULL || td->td_stripbytecount == NULL)
|
|
|
3528ec |
return (0);
|
|
|
3528ec |
/*
|
|
|
3528ec |
--
|
|
|
3528ec |
2.17.2
|
|
|
3528ec |
|