File tiff-CVE-2020-35523.patch of Package tiff.34105
Index: tiff-4.0.9/libtiff/tif_getimage.c
===================================================================
--- tiff-4.0.9.orig/libtiff/tif_getimage.c
+++ tiff-4.0.9/libtiff/tif_getimage.c
@@ -31,6 +31,7 @@
*/
#include "tiffiop.h"
#include <stdio.h>
+#include <limits.h>
static int gtTileContig(TIFFRGBAImage*, uint32*, uint32, uint32);
static int gtTileSeparate(TIFFRGBAImage*, uint32*, uint32, uint32);
@@ -647,12 +648,20 @@ gtTileContig(TIFFRGBAImage* img, uint32*
flip = setorientation(img);
if (flip & FLIP_VERTICALLY) {
- y = h - 1;
- toskew = -(int32)(tw + w);
+ if ((tw + w) > INT_MAX) {
+ TIFFErrorExt(tif->tif_clientdata, TIFFFileName(tif), "%s", "unsupported tile size (too wide)");
+ return (0);
+ }
+ y = h - 1;
+ toskew = -(int32)(tw + w);
}
else {
- y = 0;
- toskew = -(int32)(tw - w);
+ if (tw > (INT_MAX + w)) {
+ TIFFErrorExt(tif->tif_clientdata, TIFFFileName(tif), "%s", "unsupported tile size (too wide)");
+ return (0);
+ }
+ y = 0;
+ toskew = -(int32)(tw - w);
}
/*