File CVE-2019-11459.patch of Package evince.11542
From 3e38d5ad724a042eebadcba8c2d57b0f48b7a8c7 Mon Sep 17 00:00:00 2001
From: Jason Crain <jcrain@src.gnome.org>
Date: Mon, 15 Apr 2019 23:06:36 -0600
Subject: [PATCH] tiff: Handle failure from TIFFReadRGBAImageOriented
The TIFFReadRGBAImageOriented function returns zero if it was unable to
read the image. Return NULL in this case instead of displaying
uninitialized memory.
Fixes #1129
---
diff -urp evince-3.10.3.orig/backend/tiff/tiff-document.c evince-3.10.3/backend/tiff/tiff-document.c
--- evince-3.10.3.orig/backend/tiff/tiff-document.c 2012-02-21 13:12:16.000000000 -0600
+++ evince-3.10.3/backend/tiff/tiff-document.c 2019-06-06 16:04:49.742871415 -0500
@@ -294,17 +294,21 @@ tiff_document_render (EvDocument *d
return NULL;
}
+ if (!TIFFReadRGBAImageOriented (tiff_document->tiff,
+ width, height,
+ (uint32 *)pixels,
+ orientation, 0)) {
+ g_warning ("Failed to read TIFF image.");
+ g_free (pixels);
+ return NULL;
+ }
+
surface = cairo_image_surface_create_for_data (pixels,
CAIRO_FORMAT_RGB24,
width, height,
rowstride);
cairo_surface_set_user_data (surface, &key,
pixels, (cairo_destroy_func_t)g_free);
-
- TIFFReadRGBAImageOriented (tiff_document->tiff,
- width, height,
- (uint32 *)pixels,
- orientation, 0);
pop_handlers ();
/* Convert the format returned by libtiff to
@@ -383,13 +387,17 @@ tiff_document_get_thumbnail (EvDocument
if (!pixels)
return NULL;
+ if (!TIFFReadRGBAImageOriented (tiff_document->tiff,
+ width, height,
+ (uint32 *)pixels,
+ ORIENTATION_TOPLEFT, 0)) {
+ g_free (pixels);
+ return NULL;
+ }
+
pixbuf = gdk_pixbuf_new_from_data (pixels, GDK_COLORSPACE_RGB, TRUE, 8,
width, height, rowstride,
(GdkPixbufDestroyNotify) g_free, NULL);
- TIFFReadRGBAImageOriented (tiff_document->tiff,
- width, height,
- (uint32 *)pixels,
- ORIENTATION_TOPLEFT, 0);
pop_handlers ();
scaled_pixbuf = gdk_pixbuf_scale_simple (pixbuf,
