blob: ebf9a00e1b6da17c8bf9f81762925b6c13b254c8 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
|
Upstream patch for CVE-2012-4447.
diff -Naur tiff-4.0.3.orig/libtiff/tif_pixarlog.c tiff-4.0.3/libtiff/tif_pixarlog.c
--- tiff-4.0.3.orig/libtiff/tif_pixarlog.c 2012-07-04 15:26:31.000000000 -0400
+++ tiff-4.0.3/libtiff/tif_pixarlog.c 2012-12-12 16:43:18.931315699 -0500
@@ -644,6 +644,20 @@
return bytes;
}
+static tmsize_t
+add_ms(tmsize_t m1, tmsize_t m2)
+{
+ tmsize_t bytes = m1 + m2;
+
+ /* if either input is zero, assume overflow already occurred */
+ if (m1 == 0 || m2 == 0)
+ bytes = 0;
+ else if (bytes <= m1 || bytes <= m2)
+ bytes = 0;
+
+ return bytes;
+}
+
static int
PixarLogFixupTags(TIFF* tif)
{
@@ -671,9 +685,11 @@
td->td_samplesperpixel : 1);
tbuf_size = multiply_ms(multiply_ms(multiply_ms(sp->stride, td->td_imagewidth),
td->td_rowsperstrip), sizeof(uint16));
+ /* add one more stride in case input ends mid-stride */
+ tbuf_size = add_ms(tbuf_size, sizeof(uint16) * sp->stride);
if (tbuf_size == 0)
return (0); /* TODO: this is an error return without error report through TIFFErrorExt */
- sp->tbuf = (uint16 *) _TIFFmalloc(tbuf_size+sizeof(uint16)*sp->stride);
+ sp->tbuf = (uint16 *) _TIFFmalloc(tbuf_size);
if (sp->tbuf == NULL)
return (0);
if (sp->user_datafmt == PIXARLOGDATAFMT_UNKNOWN)
|