File tiff-CVE-2015-8668.patch of Package tiff.34105
Based on tiff-CVE-2015-8668.patch from SLE11.
Which is based on attached patch attached to bsc#960589 with different else case.
Index: tiff-4.0.9/tools/bmp2tiff.c
===================================================================
--- tiff-4.0.9.orig/tools/bmp2tiff.c
+++ tiff-4.0.9/tools/bmp2tiff.c
@@ -648,18 +648,35 @@ main(int argc, char* argv[])
|| info_hdr.iCompression == BMPC_RLE4 ) {
uint32 i, j, k, runlength;
uint32 compr_size, uncompr_size;
+ uint32 bits = 0;
unsigned char *comprbuf;
unsigned char *uncomprbuf;
compr_size = file_hdr.iSize - file_hdr.iOffBits;
- uncompr_size = width * length;
- /* Detect int overflow */
- if( uncompr_size / width != length ) {
- TIFFError(infilename,
- "Invalid dimensions of BMP file" );
- close(fd);
- return -1;
- }
+
+ bits = info_hdr.iBitCount;
+
+ if (bits > 8) // bit depth is > 8bit, adjust size
+ {
+ uncompr_size = width * length * (bits / 8);
+ /* Detect int overflow */
+ if (uncompr_size / width / (bits / 8) != length) {
+ TIFFError(infilename,
+ "Invalid dimensions of BMP file");
+ close(fd);
+ return -1;
+ }
+ } else {
+ uncompr_size = width * length;
+ /* Detect int overflow */
+ if( uncompr_size / width != length ) {
+ TIFFError(infilename,
+ "Invalid dimensions of BMP file" );
+ close(fd);
+ return -1;
+ }
+ }
+
if ( (compr_size == 0) ||
(compr_size > ((uint32) ~0) >> 1) ||
(uncompr_size == 0) ||