Overview

File tiff-CVE-2019-7663.patch of Package tiff.32962

Index: tiff-4.0.9/libtiff/tif_dirwrite.c
===================================================================
--- tiff-4.0.9.orig/libtiff/tif_dirwrite.c
+++ tiff-4.0.9/libtiff/tif_dirwrite.c
@@ -1898,12 +1898,14 @@ TIFFWriteDirectoryTagTransferfunction(TI
 		n=3;
 	if (n==3)
 	{
-		if (!_TIFFmemcmp(tif->tif_dir.td_transferfunction[0],tif->tif_dir.td_transferfunction[2],m*sizeof(uint16)))
+		if (tif->tif_dir.td_transferfunction[2] == NULL ||
+				!_TIFFmemcmp(tif->tif_dir.td_transferfunction[0],tif->tif_dir.td_transferfunction[2],m*sizeof(uint16)))
 			n=2;
 	}
 	if (n==2)
 	{
-		if (!_TIFFmemcmp(tif->tif_dir.td_transferfunction[0],tif->tif_dir.td_transferfunction[1],m*sizeof(uint16)))
+		if (tif->tif_dir.td_transferfunction[1] == NULL ||
+				!_TIFFmemcmp(tif->tif_dir.td_transferfunction[0],tif->tif_dir.td_transferfunction[1],m*sizeof(uint16)))
 			n=1;
 	}
 	if (n==0)
Index: tiff-4.0.9/tools/tiffcp.c
===================================================================
--- tiff-4.0.9.orig/tools/tiffcp.c
+++ tiff-4.0.9/tools/tiffcp.c
@@ -1391,7 +1391,7 @@ DECLAREreadFunc(readSeparateTilesIntoBuf
 	int status = 1;
 	uint32 imagew = TIFFRasterScanlineSize(in);
 	uint32 tilew = TIFFTileRowSize(in);
-	int iskew  = imagew - tilew*spp;
+	int iskew;
 	tsize_t tilesize = TIFFTileSize(in);
 	tdata_t tilebuf;
 	uint8* bufp = (uint8*) buf;
@@ -1399,6 +1399,13 @@ DECLAREreadFunc(readSeparateTilesIntoBuf
 	uint32 row;
 	uint16 bps = 0, bytes_per_sample;
 
+	if (spp > (0x7fffffff / tilew))
+	{
+		TIFFError(TIFFFileName(in), "Error, cannot handle that much samples per tile row (Tile Width * Samples/Pixel)");
+		return 0;
+	}
+	iskew = imagew - tilew*spp;
+
 	tilebuf = _TIFFmalloc(tilesize);
 	if (tilebuf == 0)
 		return 0;
openSUSE Build Service is sponsored by
Places