File tiff-3.9.4-CVE-2012-1173.patch of Package tiff

Overview Repositories Revisions Requests Users Attributes Meta

File tiff-3.9.4-CVE-2012-1173.patch of Package tiff

--- libtiff/tiffiop.h.orig	2012-04-23 09:58:14.118970415 +0200
+++ libtiff/tiffiop.h	2012-04-23 10:05:05.130982770 +0200
@@ -226,6 +226,9 @@
 #define TIFFhowmany8(x) (((x)&0x07)?((uint32)(x)>>3)+1:(uint32)(x)>>3)
 #define	TIFFroundup(x, y) (TIFFhowmany(x,y)*(y))
 
+ /* Safe multiply which returns zero if there is an integer overflow */
+#define TIFFSafeMultiply(t,v,m) ((((t)(m) != (t)0) && (((t)(((v)*(m))/(m))) == (t)(v))) ? (t)((v)*(m)) : (t)0)
+
 #define TIFFmax(A,B) ((A)>(B)?(A):(B))
 #define TIFFmin(A,B) ((A)<(B)?(A):(B))
 
--- libtiff/tif_getimage.c.orig	2012-04-23 09:58:14.118970415 +0200
+++ libtiff/tif_getimage.c	2012-04-23 10:04:15.690981315 +0200
@@ -665,18 +665,24 @@
     unsigned char* b;
     unsigned char* a;
     tsize_t tilesize;
+    tsize_t bufsize;
     int32 fromskew, toskew;
     int alpha = img->alpha;
     uint32 nrow;
     int ret = 1, flip;
 
     tilesize = TIFFTileSize(tif);
-    buf = (unsigned char*) _TIFFmalloc(4*tilesize);
+    bufsize = TIFFSafeMultiply(tsize_t,alpha?4:3,tilesize);
+    if (bufsize == 0) {
+    	TIFFErrorExt(tif->tif_clientdata, TIFFFileName(tif), "Integer overflow in %s", "gtTileSeparate");
+    	return (0);
+    }
+    buf = (unsigned char*) _TIFFmalloc(bufsize);
     if (buf == 0) {
 		TIFFErrorExt(tif->tif_clientdata, TIFFFileName(tif), "No space for tile buffer");
 		return (0);
     }
-    _TIFFmemset(buf, 0, 4*tilesize);
+    _TIFFmemset(buf, 0, bufsize);
     r = buf;
     g = r + tilesize;
     b = g + tilesize;
@@ -866,12 +872,18 @@
     uint32 rowsperstrip, offset_row;
     uint32 imagewidth = img->width;
     tsize_t stripsize;
+    tsize_t bufsize;
     int32 fromskew, toskew;
     int alpha = img->alpha;
     int	ret = 1, flip;
 
     stripsize = TIFFStripSize(tif);
-    r = buf = (unsigned char *)_TIFFmalloc(4*stripsize);
+    bufsize = TIFFSafeMultiply(tsize_t,alpha?4:3,stripsize);
+    if (bufsize == 0) {
+	TIFFErrorExt(tif->tif_clientdata, TIFFFileName(tif), "Integer overflow in %s", "gtStripSeparate");
+	return (0);
+    }
+    r = buf = (unsigned char *)_TIFFmalloc(bufsize);
     if (buf == 0) {
 		TIFFErrorExt(tif->tif_clientdata, TIFFFileName(tif), "No space for tile buffer");
 		return (0);

Places

File tiff-3.9.4-CVE-2012-1173.patch of Package tiff

Places