Tree - rpms/libtiff - CentOS Git server

rpms / libtiff

Blame SOURCES/libtiff-CVE-2020-35523.patch

Blob History Raw

		837307	`From 058e0d9c5822a912fe75ab3bd2d24b3350f4e44d Mon Sep 17 00:00:00 2001`
		837307	`From: Thomas Bernard <miniupnp@free.fr>`
		837307	`Date: Tue, 10 Nov 2020 01:54:30 +0100`
		837307	`Subject: [PATCH 2/3] gtTileContig(): check Tile width for overflow`
		837307
		837307	`fixes #211`
		837307	`---`
		837307	`libtiff/tif_getimage.c \| 17 +++++++++++++----`
		837307	`1 file changed, 13 insertions(+), 4 deletions(-)`
		837307
		837307	`diff --git a/libtiff/tif_getimage.c b/libtiff/tif_getimage.c`
		837307	`index c6edd27..b1f7cc9 100644`
		837307	`--- a/libtiff/tif_getimage.c`
		837307	`+++ b/libtiff/tif_getimage.c`
		837307	`@@ -31,6 +31,7 @@`
		837307	`*/`
		837307	`#include "tiffiop.h"`
		837307	`#include <stdio.h>`
		837307	`+#include <limits.h>`
		837307
		837307	`static int gtTileContig(TIFFRGBAImage, uint32, uint32, uint32);`
		837307	`static int gtTileSeparate(TIFFRGBAImage, uint32, uint32, uint32);`
		837307	`@@ -647,12 +648,20 @@ gtTileContig(TIFFRGBAImage* img, uint32* raster, uint32 w, uint32 h)`
		837307
		837307	`flip = setorientation(img);`
		837307	`if (flip & FLIP_VERTICALLY) {`
		837307	`- y = h - 1;`
		837307	`- toskew = -(int32)(tw + w);`
		837307	`+ if ((tw + w) > INT_MAX) {`
		837307	`+ TIFFErrorExt(tif->tif_clientdata, TIFFFileName(tif), "%s", "unsupported tile size (too wide)");`
		837307	`+ return (0);`
		837307	`+ }`
		837307	`+ y = h - 1;`
		837307	`+ toskew = -(int32)(tw + w);`
		837307	`}`
		837307	`else {`
		837307	`- y = 0;`
		837307	`- toskew = -(int32)(tw - w);`
		837307	`+ if (tw > (INT_MAX + w)) {`
		837307	`+ TIFFErrorExt(tif->tif_clientdata, TIFFFileName(tif), "%s", "unsupported tile size (too wide)");`
		837307	`+ return (0);`
		837307	`+ }`
		837307	`+ y = 0;`
		837307	`+ toskew = -(int32)(tw - w);`
		837307	`}`
		837307
		837307	`/*`
		837307	`--`
		837307	`2.31.1`
		837307

rpms / libtiff

Source Code

Blame SOURCES/libtiff-CVE-2020-35523.patch