From 5f3ae40bcaf5518aae18eedc90cd9b326d7bd640 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Nikola=20Forr=C3=B3?= Date: Mon, 11 Jul 2016 16:54:49 +0200 Subject: [PATCH 8/8] Fix CVE-2016-5320 --- libtiff/tif_pixarlog.c | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/libtiff/tif_pixarlog.c b/libtiff/tif_pixarlog.c index c9f056e..c961529 100644 --- a/libtiff/tif_pixarlog.c +++ b/libtiff/tif_pixarlog.c @@ -462,7 +462,7 @@ typedef struct { int state; int user_datafmt; int quality; - tsize_t tbuf_size; + tmsize_t tbuf_size; #define PLSTATE_INIT 1 TIFFVSetMethod vgetparent; /* super-class method */ @@ -691,6 +691,7 @@ PixarLogSetupDecode(TIFF* tif) if (tbuf_size == 0) return (0); /* TODO: this is an error return without error report through TIFFErrorExt */ sp->tbuf = (uint16 *) _TIFFmalloc(tbuf_size); + sp->tbuf_size = tbuf_size; if (sp->tbuf == NULL) return (0); if (sp->user_datafmt == PIXARLOGDATAFMT_UNKNOWN) @@ -782,6 +783,11 @@ PixarLogDecode(TIFF* tif, uint8* op, tmsize_t occ, uint16 s) TIFFErrorExt(tif->tif_clientdata, module, "ZLib cannot deal with buffers this size"); return (0); } + if (sp->stream.avail_out > sp->tbuf_size) + { + TIFFErrorExt(tif->tif_clientdata, module, "Error within the calculation of ZLib buffer size"); + return (0); + } do { int state = inflate(&sp->stream, Z_PARTIAL_FLUSH); if (state == Z_STREAM_END) { -- 2.7.4