Blame SOURCES/libtiff-CVE-2018-12900.patch
|
 |
b03815 |
From 775b0d85eab499ccf577e72ec202eb4c6fb37197 Mon Sep 17 00:00:00 2001
|
|
|
b03815 |
From: Thomas Bernard <miniupnp@free.fr>
|
|
|
b03815 |
Date: Mon, 11 Feb 2019 10:05:33 +0100
|
|
|
b03815 |
Subject: [PATCH] check that (Tile Width)*(Samples/Pixel) do no overflow
|
|
|
b03815 |
|
|
|
b03815 |
fixes bug 2833
|
|
|
b03815 |
---
|
|
|
b03815 |
tools/tiffcp.c | 9 ++++++++-
|
|
|
b03815 |
1 file changed, 8 insertions(+), 1 deletion(-)
|
|
|
b03815 |
|
|
|
b03815 |
diff --git a/tools/tiffcp.c b/tools/tiffcp.c
|
|
|
b03815 |
index 489459a..0c66229 100644
|
|
|
b03815 |
--- a/tools/tiffcp.c
|
|
|
b03815 |
+++ b/tools/tiffcp.c
|
|
|
b03815 |
@@ -43,6 +43,7 @@
|
|
|
b03815 |
#include <stdio.h>
|
|
|
b03815 |
#include <stdlib.h>
|
|
|
b03815 |
#include <string.h>
|
|
|
b03815 |
+#include <limits.h>
|
|
|
b03815 |
|
|
|
b03815 |
#include <ctype.h>
|
|
|
b03815 |
|
|
|
b03815 |
@@ -1391,7 +1392,7 @@ DECLAREreadFunc(readSeparateTilesIntoBuffer)
|
|
|
b03815 |
int status = 1;
|
|
|
b03815 |
uint32 imagew = TIFFRasterScanlineSize(in);
|
|
|
b03815 |
uint32 tilew = TIFFTileRowSize(in);
|
|
|
b03815 |
- int iskew = imagew - tilew*spp;
|
|
|
b03815 |
+ int iskew;
|
|
|
b03815 |
tsize_t tilesize = TIFFTileSize(in);
|
|
|
b03815 |
tdata_t tilebuf;
|
|
|
b03815 |
uint8* bufp = (uint8*) buf;
|
|
|
b03815 |
@@ -1399,6 +1400,12 @@ DECLAREreadFunc(readSeparateTilesIntoBuffer)
|
|
|
b03815 |
uint32 row;
|
|
|
b03815 |
uint16 bps = 0, bytes_per_sample;
|
|
|
b03815 |
|
|
|
b03815 |
+ if (tilew && spp > (INT_MAX / tilew))
|
|
|
b03815 |
+ {
|
|
|
b03815 |
+ TIFFError(TIFFFileName(in), "Error, cannot handle that much samples per tile row (Tile Width * Samples/Pixel)");
|
|
|
b03815 |
+ return 0;
|
|
|
b03815 |
+ }
|
|
|
b03815 |
+ iskew = imagew - tilew*spp;
|
|
|
b03815 |
tilebuf = _TIFFmalloc(tilesize);
|
|
|
b03815 |
if (tilebuf == 0)
|
|
|
b03815 |
return 0;
|
|
|
b03815 |
--
|
|
|
b03815 |
2.21.0
|
|
|
b03815 |
|