source: packages/libs/tiff/patches/001-CVE-2012-1173.patch @ 31367

Last change on this file since 31367 was 31367, checked in by florian, 5 years ago

[package] tiff: update to 4.0.1 and include CVE-2012-1173 patch

File size: 2.5 KB
  • libtiff/tif_getimage.c

    diff -urN tiff-4.0.1/libtiff/tif_getimage.c tiff-4.0.1.new/libtiff/tif_getimage.c
    old new  
    692692        unsigned char* p2; 
    693693        unsigned char* pa; 
    694694        tmsize_t tilesize; 
     695        tmsize_t bufsize; 
    695696        int32 fromskew, toskew; 
    696697        int alpha = img->alpha; 
    697698        uint32 nrow; 
     
    699700        int colorchannels; 
    700701 
    701702        tilesize = TIFFTileSize(tif);   
    702         buf = (unsigned char*) _TIFFmalloc((alpha?4:3)*tilesize); 
     703        bufsize = TIFFSafeMultiply(tmsize_t,alpha?4:3,tilesize); 
     704        if (bufsize == 0) { 
     705                TIFFErrorExt(tif->tif_clientdata, TIFFFileName(tif), "Integer overflow in %s", "gtTileSeparate"); 
     706                return (0); 
     707        } 
     708        buf = (unsigned char*) _TIFFmalloc(bufsize); 
    703709        if (buf == 0) { 
    704710                TIFFErrorExt(tif->tif_clientdata, TIFFFileName(tif), "%s", "No space for tile buffer"); 
    705711                return (0); 
    706712        } 
    707         _TIFFmemset(buf, 0, (alpha?4:3)*tilesize); 
     713        _TIFFmemset(buf, 0, bufsize); 
    708714        p0 = buf; 
    709715        p1 = p0 + tilesize; 
    710716        p2 = p1 + tilesize; 
     
    917923        uint32 rowsperstrip, offset_row; 
    918924        uint32 imagewidth = img->width; 
    919925        tmsize_t stripsize; 
     926        tmsize_t bufsize; 
    920927        int32 fromskew, toskew; 
    921928        int alpha = img->alpha; 
    922929        int ret = 1, flip, colorchannels; 
    923930 
    924931        stripsize = TIFFStripSize(tif);   
    925         p0 = buf = (unsigned char *)_TIFFmalloc((alpha?4:3)*stripsize); 
     932        bufsize = TIFFSafeMultiply(tmsize_t,alpha?4:3,stripsize); 
     933        if (bufsize == 0) { 
     934                TIFFErrorExt(tif->tif_clientdata, TIFFFileName(tif), "Integer overflow in %s", "gtStripSeparate"); 
     935                return (0); 
     936        } 
     937        p0 = buf = (unsigned char *)_TIFFmalloc(bufsize); 
    926938        if (buf == 0) { 
    927939                TIFFErrorExt(tif->tif_clientdata, TIFFFileName(tif), "No space for tile buffer"); 
    928940                return (0); 
    929941        } 
    930         _TIFFmemset(buf, 0, (alpha?4:3)*stripsize); 
     942        _TIFFmemset(buf, 0, bufsize); 
    931943        p1 = p0 + stripsize; 
    932944        p2 = p1 + stripsize; 
    933945        pa = (alpha?(p2+stripsize):NULL); 
  • libtiff/tiffiop.h

    diff -urN tiff-4.0.1/libtiff/tiffiop.h tiff-4.0.1.new/libtiff/tiffiop.h
    old new  
    250250#define TIFFroundup_64(x, y) (TIFFhowmany_64(x,y)*(y)) 
    251251 
    252252/* Safe multiply which returns zero if there is an integer overflow */ 
    253 #define TIFFSafeMultiply(t,v,m) ((((t)m != (t)0) && (((t)((v*m)/m)) == (t)v)) ? (t)(v*m) : (t)0) 
     253#define TIFFSafeMultiply(t,v,m) ((((t)(m) != (t)0) && (((t)(((v)*(m))/(m))) == (t)(v))) ? (t)((v)*(m)) : (t)0) 
    254254 
    255255#define TIFFmax(A,B) ((A)>(B)?(A):(B)) 
    256256#define TIFFmin(A,B) ((A)<(B)?(A):(B)) 
Note: See TracBrowser for help on using the repository browser.