blob: 3f2f4e4c86f63a29cfd741ba13faa9abcd094054 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
|
https://git.centos.org/blob/rpms!libtiff.git/1ad9335dc0c1325262c62842eda01476243ec821/SOURCES!libtiff-CVE-2015-8668.patch
diff --git a/tools/bmp2tiff.c b/tools/bmp2tiff.c
index 376f4e6..c747c13 100644
--- a/tools/bmp2tiff.c
+++ b/tools/bmp2tiff.c
@@ -614,18 +614,27 @@ main(int argc, char* argv[])
|| info_hdr.iCompression == BMPC_RLE4 ) {
uint32 i, j, k, runlength;
uint32 compr_size, uncompr_size;
+ uint32 bits = 0;
unsigned char *comprbuf;
unsigned char *uncomprbuf;
compr_size = file_hdr.iSize - file_hdr.iOffBits;
- uncompr_size = width * length;
- /* Detect int overflow */
- if( uncompr_size / width != length ) {
- TIFFError(infilename,
- "Invalid dimensions of BMP file" );
- close(fd);
- return -1;
- }
+
+ bits = info_hdr.iBitCount;
+
+ if (bits > 8) // bit depth is > 8bit, adjust size
+ {
+ uncompr_size = width * length * (bits / 8);
+ /* Detect int overflow */
+ if (uncompr_size / width / (bits / 8) != length) {
+ TIFFError(infilename,
+ "Invalid dimensions of BMP file");
+ close(fd);
+ return -1;
+ }
+ }
+ else
+ uncompr_size = width * length;
if ( (compr_size == 0) ||
(compr_size > ((uint32) ~0) >> 1) ||
(uncompr_size == 0) ||
|
