File tiff-CVE-2017-17095.patch of Package tiff.34105
Index: tiff-4.0.9/tools/pal2rgb.c
===================================================================
--- tiff-4.0.9.orig/tools/pal2rgb.c
+++ tiff-4.0.9/tools/pal2rgb.c
@@ -189,8 +189,22 @@ main(int argc, char* argv[])
{ unsigned char *ibuf, *obuf;
register unsigned char* pp;
register uint32 x;
- ibuf = (unsigned char*)_TIFFmalloc(TIFFScanlineSize(in));
- obuf = (unsigned char*)_TIFFmalloc(TIFFScanlineSize(out));
+ tmsize_t tss_in = TIFFScanlineSize(in);
+ tmsize_t tss_out = TIFFScanlineSize(out);
+ if (tss_out / tss_in < 3) {
+ /*
+ * * BUG 2750: The following code does not know about chroma
+ * * subsampling of JPEG data. It assumes that the output buffer is 3x
+ * * the length of the input buffer due to exploding the palette into
+ * * RGB tuples. If this assumption is incorrect, it could lead to a
+ * * buffer overflow. Go ahead and fail now to prevent that.
+ * */
+ fprintf(stderr, "Could not determine correct image size for output. Exiting.\n");
+ return -1;
+ }
+ ibuf = (unsigned char*)_TIFFmalloc(tss_in);
+ obuf = (unsigned char*)_TIFFmalloc(tss_out);
+
switch (config) {
case PLANARCONFIG_CONTIG:
for (row = 0; row < imagelength; row++) {