File tiff-CVE-2017-17095.patch of Package tiff.40314
Index: tiff-4.0.9/tools/pal2rgb.c
===================================================================
--- tiff-4.0.9.orig/tools/pal2rgb.c
+++ tiff-4.0.9/tools/pal2rgb.c
@@ -189,8 +189,22 @@ main(int argc, char* argv[])
 	{ unsigned char *ibuf, *obuf;
 	  register unsigned char* pp;
 	  register uint32 x;
-	  ibuf = (unsigned char*)_TIFFmalloc(TIFFScanlineSize(in));
-	  obuf = (unsigned char*)_TIFFmalloc(TIFFScanlineSize(out));
+	  tmsize_t tss_in = TIFFScanlineSize(in);
+	  tmsize_t tss_out = TIFFScanlineSize(out);
+	  if (tss_out / tss_in < 3) {
+		  /*
+		   *		 * BUG 2750: The following code does not know about chroma
+		   *				 * subsampling of JPEG data. It assumes that the output buffer is 3x
+		   *						 * the length of the input buffer due to exploding the palette into
+		   *								 * RGB tuples. If this assumption is incorrect, it could lead to a
+		   *										 * buffer overflow. Go ahead and fail now to prevent that.
+		   *												 */
+		  fprintf(stderr, "Could not determine correct image size for output. Exiting.\n");
+		  return -1;
+	  }
+	  ibuf = (unsigned char*)_TIFFmalloc(tss_in);
+	  obuf = (unsigned char*)_TIFFmalloc(tss_out);
+
 	  switch (config) {
 	  case PLANARCONFIG_CONTIG:
 		for (row = 0; row < imagelength; row++) {