File tiff-CVE-2018-18661.patch of Package tiff.34105
Index: tiff-4.0.9/tools/tiff2bw.c
===================================================================
--- tiff-4.0.9.orig/tools/tiff2bw.c 2018-11-12 14:31:24.284773519 +0100
+++ tiff-4.0.9/tools/tiff2bw.c 2018-11-12 14:31:24.296773576 +0100
@@ -40,6 +40,7 @@
#endif
#include "tiffio.h"
+#include "tiffiop.h"
#define streq(a,b) (strcmp((a),(b)) == 0)
#define strneq(a,b,n) (strncmp(a,b,n) == 0)
@@ -223,6 +224,11 @@ main(int argc, char* argv[])
TIFFSetField(out, TIFFTAG_IMAGEDESCRIPTION, thing);
TIFFSetField(out, TIFFTAG_SOFTWARE, "tiff2bw");
outbuf = (unsigned char *)_TIFFmalloc(TIFFScanlineSize(out));
+ if( !outbuf )
+ {
+ fprintf(stderr, "Out of memory\n");
+ goto tiff2bw_error;
+ }
TIFFSetField(out, TIFFTAG_ROWSPERSTRIP,
TIFFDefaultStripSize(out, rowsperstrip));
@@ -246,6 +252,11 @@ main(int argc, char* argv[])
#undef CVT
}
inbuf = (unsigned char *)_TIFFmalloc(TIFFScanlineSize(in));
+ if( !inbuf )
+ {
+ fprintf(stderr, "Out of memory\n");
+ goto tiff2bw_error;
+ }
for (row = 0; row < h; row++) {
if (TIFFReadScanline(in, inbuf, row, 0) < 0)
break;
@@ -256,6 +267,11 @@ main(int argc, char* argv[])
break;
case pack(PHOTOMETRIC_RGB, PLANARCONFIG_CONTIG):
inbuf = (unsigned char *)_TIFFmalloc(TIFFScanlineSize(in));
+ if( !inbuf )
+ {
+ fprintf(stderr, "Out of memory\n");
+ goto tiff2bw_error;
+ }
for (row = 0; row < h; row++) {
if (TIFFReadScanline(in, inbuf, row, 0) < 0)
break;
@@ -265,8 +281,16 @@ main(int argc, char* argv[])
}
break;
case pack(PHOTOMETRIC_RGB, PLANARCONFIG_SEPARATE):
+ {
+ tmsize_t inbufsize;
rowsize = TIFFScanlineSize(in);
- inbuf = (unsigned char *)_TIFFmalloc(3*rowsize);
+ inbufsize = TIFFSafeMultiply(tmsize_t, 3, rowsize);
+ inbuf = (unsigned char *)_TIFFmalloc(inbufsize);
+ if( !inbuf )
+ {
+ fprintf(stderr, "Out of memory\n");
+ goto tiff2bw_error;
+ }
for (row = 0; row < h; row++) {
for (s = 0; s < 3; s++)
if (TIFFReadScanline(in,
@@ -278,6 +302,7 @@ main(int argc, char* argv[])
break;
}
break;
+ }
}
#undef pack
if (inbuf)