Overview

File tiff-3.8.2-CVE-2012-4447.patch of Package tiff3

Index: libtiff/tif_pixarlog.c
===================================================================
--- libtiff/tif_pixarlog.c.orig
+++ libtiff/tif_pixarlog.c
@@ -93,6 +93,8 @@
 #include <stdlib.h>
 #include <math.h>
 
+#include <limits.h>
+
 /* Tables for converting to/from 11 bit coded values */
 
 #define  TSIZE	 2048		/* decode table size (11-bit tokens) */
@@ -664,7 +666,15 @@ PixarLogSetupDecode(TIFF* tif)
 				      td->td_rowsperstrip), sizeof(uint16));
 	if (tbuf_size == 0)
 		return (0);
-	sp->tbuf = (uint16 *) _TIFFmalloc(tbuf_size);
+	
+	int i_stride = sp->stride * sizeof(uint16);
+	if (tbuf_size > (INT_MAX - i_stride)) { 
+		TIFFErrorExt(tif->tif_clientdata, module, "%s: overflow!", 
+				tif->tif_name);
+		return (0);
+	}
+
+	sp->tbuf = (uint16 *) _TIFFmalloc(tbuf_size + i_stride);
 	if (sp->tbuf == NULL)
 		return (0);
 	if (sp->user_datafmt == PIXARLOGDATAFMT_UNKNOWN)
@@ -829,7 +839,15 @@ PixarLogSetupEncode(TIFF* tif)
 				      td->td_rowsperstrip), sizeof(uint16));
 	if (tbuf_size == 0)
 		return (0);
-	sp->tbuf = (uint16 *) _TIFFmalloc(tbuf_size);
+
+       int i_stride = sp->stride * sizeof(uint16);
+       if (tbuf_size > (INT_MAX - i_stride)) { 
+               TIFFErrorExt(tif->tif_clientdata, module, "%s: overflow!",
+                               tif->tif_name);
+               return (0);
+       }
+
+       sp->tbuf = (uint16 *) _TIFFmalloc(tbuf_size + i_stride);
 	if (sp->tbuf == NULL)
 		return (0);
 	if (sp->user_datafmt == PIXARLOGDATAFMT_UNKNOWN)
openSUSE Build Service is sponsored by
Places