Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
openSUSE:Evergreen:11.2:Test
tiff
tiff-3.8.2-CVE-2012-2088.patch
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File tiff-3.8.2-CVE-2012-2088.patch of Package tiff
Description: fix possible arbitrary code execution via buffer overflow due to type-conversion flaw Origin: thanks to Red Hat Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/tiff/+bug/1016324 Bug-Debian: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=678140 Bug-RedHat: https://bugzilla.redhat.com/show_bug.cgi?id=832864 diff -Naurp tiff-3.8.2.ori/libtiff/tif_strip.c tiff-3.8.2/libtiff/tif_strip.c --- tiff-3.8.2.ori/libtiff/tif_strip.c 2012-07-04 11:08:40.123666424 -0400 +++ tiff-3.8.2/libtiff/tif_strip.c 2012-07-04 11:10:01.975668521 -0400 @@ -107,6 +107,7 @@ tsize_t TIFFVStripSize(TIFF* tif, uint32 nrows) { TIFFDirectory *td = &tif->tif_dir; + uint32 stripsize; if (nrows == (uint32) -1) nrows = td->td_imagelength; @@ -122,7 +123,7 @@ TIFFVStripSize(TIFF* tif, uint32 nrows) * YCbCr data for the extended image. */ uint16 ycbcrsubsampling[2]; - tsize_t w, scanline, samplingarea; + uint32 w, scanline, samplingarea; TIFFGetFieldDefaulted(tif, TIFFTAG_YCBCRSUBSAMPLING, ycbcrsubsampling + 0, @@ -141,13 +142,27 @@ TIFFVStripSize(TIFF* tif, uint32 nrows) nrows = TIFFroundup(nrows, ycbcrsubsampling[1]); /* NB: don't need TIFFhowmany here 'cuz everything is rounded */ scanline = multiply(tif, nrows, scanline, "TIFFVStripSize"); - return ((tsize_t) - summarize(tif, scanline, - multiply(tif, 2, scanline / samplingarea, - "TIFFVStripSize"), "TIFFVStripSize")); + /* a zero anywhere in here means overflow, must return zero */ + if (scanline > 0) { + uint32 extra = + multiply(tif, 2, scanline / samplingarea, + "TIFFVStripSize"); + if (extra > 0) + stripsize = summarize(tif, scanline, extra, + "TIFFVStripSize"); + else + stripsize = 0; + } else + stripsize = 0; } else - return ((tsize_t) multiply(tif, nrows, TIFFScanlineSize(tif), - "TIFFVStripSize")); + stripsize = multiply(tif, nrows, TIFFScanlineSize(tif), + "TIFFVStripSize"); + /* Because tsize_t is signed, we might have conversion overflow */ + if (((tsize_t) stripsize) < 0) { + TIFFErrorExt(tif->tif_clientdata, tif->tif_name, "Integer overflow in %s", "TIFFVStripSize"); + stripsize = 0; + } + return (tsize_t) stripsize; } diff -Naurp tiff-3.8.2.ori/libtiff/tif_tile.c tiff-3.8.2/libtiff/tif_tile.c --- tiff-3.8.2.ori/libtiff/tif_tile.c 2006-03-03 07:09:43.000000000 -0500 +++ tiff-3.8.2/libtiff/tif_tile.c 2012-07-04 11:10:01.975668521 -0400 @@ -174,7 +174,7 @@ tsize_t TIFFTileRowSize(TIFF* tif) { TIFFDirectory *td = &tif->tif_dir; - tsize_t rowsize; + uint32 rowsize; if (td->td_tilelength == 0 || td->td_tilewidth == 0) return ((tsize_t) 0); @@ -193,7 +193,7 @@ tsize_t TIFFVTileSize(TIFF* tif, uint32 nrows) { TIFFDirectory *td = &tif->tif_dir; - tsize_t tilesize; + uint32 tilesize; if (td->td_tilelength == 0 || td->td_tilewidth == 0 || td->td_tiledepth == 0) @@ -209,12 +209,12 @@ TIFFVTileSize(TIFF* tif, uint32 nrows) * horizontal/vertical subsampling area include * YCbCr data for the extended image. */ - tsize_t w = + uint32 w = TIFFroundup(td->td_tilewidth, td->td_ycbcrsubsampling[0]); - tsize_t rowsize = + uint32 rowsize = TIFFhowmany8(multiply(tif, w, td->td_bitspersample, "TIFFVTileSize")); - tsize_t samplingarea = + uint32 samplingarea = td->td_ycbcrsubsampling[0]*td->td_ycbcrsubsampling[1]; if (samplingarea == 0) { TIFFErrorExt(tif->tif_clientdata, tif->tif_name, "Invalid YCbCr subsampling"); @@ -223,15 +223,27 @@ TIFFVTileSize(TIFF* tif, uint32 nrows) nrows = TIFFroundup(nrows, td->td_ycbcrsubsampling[1]); /* NB: don't need TIFFhowmany here 'cuz everything is rounded */ tilesize = multiply(tif, nrows, rowsize, "TIFFVTileSize"); - tilesize = summarize(tif, tilesize, - multiply(tif, 2, tilesize / samplingarea, - "TIFFVTileSize"), + /* a zero anywhere in here means overflow, must return zero */ + if (tilesize > 0) { + uint32 extra = + multiply(tif, 2, tilesize / samplingarea, "TIFFVTileSize"); + if (extra > 0) + tilesize = summarize(tif, tilesize, extra, + "TIFFVTileSize"); + else + tilesize = 0; + } } else tilesize = multiply(tif, nrows, TIFFTileRowSize(tif), "TIFFVTileSize"); - return ((tsize_t) - multiply(tif, tilesize, td->td_tiledepth, "TIFFVTileSize")); + tilesize = multiply(tif, tilesize, td->td_tiledepth, "TIFFVTileSize"); + /* Because tsize_t is signed, we might have conversion overflow */ + if (((tsize_t) tilesize) < 0) { + TIFFErrorExt(tif->tif_clientdata, tif->tif_name, "Integer overflow in %s", "TIFFVTileSize"); + tilesize = 0; + } + return (tsize_t) tilesize; } /*
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor