From 5f3ae40bcaf5518aae18eedc90cd9b326d7bd640 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Nikola=20Forr=C3=B3?= <nforro@redhat.com>
Date: Mon, 11 Jul 2016 16:54:49 +0200
Subject: [PATCH 8/8] Fix CVE-2016-5320
---
libtiff/tif_pixarlog.c | 8 +++++++-
1 file changed, 7 insertions(+), 1 deletion(-)
diff --git a/libtiff/tif_pixarlog.c b/libtiff/tif_pixarlog.c
index c9f056e..c961529 100644
--- a/libtiff/tif_pixarlog.c
+++ b/libtiff/tif_pixarlog.c
@@ -462,7 +462,7 @@ typedef struct {
int state;
int user_datafmt;
int quality;
- tsize_t tbuf_size;
+ tmsize_t tbuf_size;
#define PLSTATE_INIT 1
TIFFVSetMethod vgetparent; /* super-class method */
@@ -691,6 +691,7 @@ PixarLogSetupDecode(TIFF* tif)
if (tbuf_size == 0)
return (0); /* TODO: this is an error return without error report through TIFFErrorExt */
sp->tbuf = (uint16 *) _TIFFmalloc(tbuf_size);
+ sp->tbuf_size = tbuf_size;
if (sp->tbuf == NULL)
return (0);
if (sp->user_datafmt == PIXARLOGDATAFMT_UNKNOWN)
@@ -782,6 +783,11 @@ PixarLogDecode(TIFF* tif, uint8* op, tmsize_t occ, uint16 s)
TIFFErrorExt(tif->tif_clientdata, module, "ZLib cannot deal with buffers this size");
return (0);
}
+ if (sp->stream.avail_out > sp->tbuf_size)
+ {
+ TIFFErrorExt(tif->tif_clientdata, module, "Error within the calculation of ZLib buffer size");
+ return (0);
+ }
do {
int state = inflate(&sp->stream, Z_PARTIAL_FLUSH);
if (state == Z_STREAM_END) {
--
2.7.4