Overview

File tiff-3.8.2-CVE-2010-1411.patch of Package tiff3

Index: tiff-3.8.2/libtiff/tif_fax3.c
===================================================================
--- tiff-3.8.2.orig/libtiff/tif_fax3.c
+++ tiff-3.8.2/libtiff/tif_fax3.c
@@ -42,6 +42,7 @@
 #define	G3CODES
 #include "t4.h"
 #include <stdio.h>
+#include <stdint.h>
 
 /*
  * Compression+decompression state blocks are
@@ -491,10 +492,21 @@ Fax3SetupState(TIFF* tif)
 	    td->td_compression == COMPRESSION_CCITTFAX4
 	);
 
-	nruns = needsRefLine ? 2*TIFFroundup(rowpixels,32) : rowpixels;
+        uint64_t val64 = rowpixels;
+        if (needsRefLine)
+        {
+            val64 = 2 * (((val64 + 31) /32) * 32);
+            if (val64 > 0xffffffff)
+                return (0);
+        }
+        nruns = (val64 &0xffffffff);
+
+        val64 = 2*(uint64_t)nruns+3;
+        if (val64 > 0xffffffff)
+            return (0);
 
-	dsp->runs = (uint32*) _TIFFCheckMalloc(tif, 2*nruns+3, sizeof (uint32),
-					  "for Group 3/4 run arrays");
+        dsp->runs = (uint32*) _TIFFCheckMalloc(tif, (val64 & 0xffffffff),
+					       sizeof(uint32), "for Group 3/4 run arrays");
 	if (dsp->runs == NULL)
 		return (0);
 	dsp->curruns = dsp->runs;
openSUSE Build Service is sponsored by
Places