Overview

File tiff-3.8.2-CVE-2010-4665.patch of Package tiff3

http://bugzilla.maptools.org/attachment.cgi?id=398
Make tiffdump more paranoid about checking the count field of a directory
entry.


diff -Naur tiff-3.9.4.orig/tools/tiffdump.c tiff-3.9.4/tools/tiffdump.c
--- tools/tiffdump.c	2010-06-08 14:50:44.000000000 -0400
+++ tools/tiffdump.c	2010-06-22 12:51:42.207932477 -0400
@@ -46,6 +46,7 @@
 # include <io.h>
 #endif
 
+#define TIFFSafeMultiply(t,v,m) ((((t)m != (t)0) && (((t)((v*m)/m)) == (t)v)) ? (t)(v*m) : (t)0)
 #include "tiffio.h"
 
 #ifndef O_BINARY
@@ -317,7 +318,7 @@
 			printf(">\n");
 			continue;
 		}
-		space = dp->tdir_count * datawidth[dp->tdir_type];
+		space = TIFFSafeMultiply(int, dp->tdir_count, datawidth[dp->tdir_type]);
 		if (space <= 0) {
 			printf(">\n");
 			Error("Invalid count for tag %u", dp->tdir_tag);
@@ -709,7 +710,7 @@
 	w = (dir->tdir_type < NWIDTHS ? datawidth[dir->tdir_type] : 0);
 	cc = dir->tdir_count * w;
 	if (lseek(fd, (off_t)dir->tdir_offset, 0) != (off_t)-1
-	    && read(fd, cp, cc) != -1) {
+	    && read(fd, cp, cc) == cc) {
 		if (swabflag) {
 			switch (dir->tdir_type) {
 			case TIFF_SHORT:
openSUSE Build Service is sponsored by
Places