130 lines
4.0 KiB
130 lines
4.0 KiB
12 years ago
|
# --- SDE-COPYRIGHT-NOTE-BEGIN ---
|
||
|
# This copyright note is auto-generated by ./scripts/Create-CopyPatch.
|
||
|
#
|
||
|
# Filename: package/.../libtiff/libtiff-4.0.3-0100-CVE-2012-4564.patch
|
||
|
# Copyright (C) 2013 The OpenSDE Project
|
||
|
#
|
||
|
# More information can be found in the files COPYING and README.
|
||
|
#
|
||
|
# This patch file is dual-licensed. It is available under the license the
|
||
|
# patched project is licensed under, as long as it is an OpenSource license
|
||
|
# as defined at http://www.opensource.org/ (e.g. BSD, X11) or under the terms
|
||
|
# of the GNU General Public License as published by the Free Software
|
||
|
# Foundation; either version 2 of the License, or (at your option) any later
|
||
|
# version.
|
||
|
# --- SDE-COPYRIGHT-NOTE-END ---
|
||
|
|
||
|
From fd1356f7003d47cf59392679c08a2dacc556bce4 Mon Sep 17 00:00:00 2001
|
||
|
From: fwarmerdam <fwarmerdam>
|
||
|
Date: Fri, 2 Nov 2012 05:13:24 +0000
|
||
|
Subject: [PATCH] ppm2tiff: fix zero size buffer exploit (CVE-2012-4564)
|
||
|
|
||
|
original commit message: fix zero size buffer exploit (CVE-2012-4564) in ppm2tiff
|
||
|
original ChangeLog entry:
|
||
|
----------------------------------------------------------------------------
|
||
|
2012-11-01 Frank Warmerdam <warmerdam@pobox.com>
|
||
|
|
||
|
* tools/ppm2tiff.c: avoid zero size buffer vulnerability.
|
||
|
CVE-2012-4564 - Thanks to Huzaifa Sidhpurwala of the
|
||
|
Red Hat Security Response team for the fix.
|
||
|
----------------------------------------------------------------------------
|
||
|
|
||
|
original commit message: Improve previous patch for CVE-2012-4564.
|
||
|
original ChangeLog entry:
|
||
|
----------------------------------------------------------------------------
|
||
|
2012-12-10 Tom Lane <tgl@sss.pgh.pa.us>
|
||
|
|
||
|
* tools/ppm2tiff.c: Improve previous patch for CVE-2012-4564:
|
||
|
check the linebytes calculation too, get the max() calculation
|
||
|
straight, avoid redundant error messages, check for malloc
|
||
|
failure.
|
||
|
----------------------------------------------------------------------------
|
||
|
|
||
|
diff --git a/tools/ppm2tiff.c b/tools/ppm2tiff.c
|
||
|
index 8910e76..d2f72a2 100644
|
||
|
--- a/tools/ppm2tiff.c
|
||
|
+++ b/tools/ppm2tiff.c
|
||
|
@@ -72,6 +72,17 @@ BadPPM(char* file)
|
||
|
exit(-2);
|
||
|
}
|
||
|
|
||
|
+static tmsize_t
|
||
|
+multiply_ms(tmsize_t m1, tmsize_t m2)
|
||
|
+{
|
||
|
+ tmsize_t bytes = m1 * m2;
|
||
|
+
|
||
|
+ if (m1 && bytes / m1 != m2)
|
||
|
+ bytes = 0;
|
||
|
+
|
||
|
+ return bytes;
|
||
|
+}
|
||
|
+
|
||
|
int
|
||
|
main(int argc, char* argv[])
|
||
|
{
|
||
|
@@ -79,7 +90,7 @@ main(int argc, char* argv[])
|
||
|
uint32 rowsperstrip = (uint32) -1;
|
||
|
double resolution = -1;
|
||
|
unsigned char *buf = NULL;
|
||
|
- tsize_t linebytes = 0;
|
||
|
+ tmsize_t linebytes = 0;
|
||
|
uint16 spp = 1;
|
||
|
uint16 bpp = 8;
|
||
|
TIFF *out;
|
||
|
@@ -89,6 +100,7 @@ main(int argc, char* argv[])
|
||
|
int c;
|
||
|
extern int optind;
|
||
|
extern char* optarg;
|
||
|
+ tmsize_t scanline_size;
|
||
|
|
||
|
if (argc < 2) {
|
||
|
fprintf(stderr, "%s: Too few arguments\n", argv[0]);
|
||
|
@@ -221,7 +233,8 @@ main(int argc, char* argv[])
|
||
|
}
|
||
|
switch (bpp) {
|
||
|
case 1:
|
||
|
- linebytes = (spp * w + (8 - 1)) / 8;
|
||
|
+ /* if round-up overflows, result will be zero, OK */
|
||
|
+ linebytes = (multiply_ms(spp, w) + (8 - 1)) / 8;
|
||
|
if (rowsperstrip == (uint32) -1) {
|
||
|
TIFFSetField(out, TIFFTAG_ROWSPERSTRIP, h);
|
||
|
} else {
|
||
|
@@ -230,15 +243,31 @@ main(int argc, char* argv[])
|
||
|
}
|
||
|
break;
|
||
|
case 8:
|
||
|
- linebytes = spp * w;
|
||
|
+ linebytes = multiply_ms(spp, w);
|
||
|
TIFFSetField(out, TIFFTAG_ROWSPERSTRIP,
|
||
|
TIFFDefaultStripSize(out, rowsperstrip));
|
||
|
break;
|
||
|
}
|
||
|
- if (TIFFScanlineSize(out) > linebytes)
|
||
|
+ if (linebytes == 0) {
|
||
|
+ fprintf(stderr, "%s: scanline size overflow\n", infile);
|
||
|
+ (void) TIFFClose(out);
|
||
|
+ exit(-2);
|
||
|
+ }
|
||
|
+ scanline_size = TIFFScanlineSize(out);
|
||
|
+ if (scanline_size == 0) {
|
||
|
+ /* overflow - TIFFScanlineSize already printed a message */
|
||
|
+ (void) TIFFClose(out);
|
||
|
+ exit(-2);
|
||
|
+ }
|
||
|
+ if (scanline_size < linebytes)
|
||
|
buf = (unsigned char *)_TIFFmalloc(linebytes);
|
||
|
else
|
||
|
- buf = (unsigned char *)_TIFFmalloc(TIFFScanlineSize(out));
|
||
|
+ buf = (unsigned char *)_TIFFmalloc(scanline_size);
|
||
|
+ if (buf == NULL) {
|
||
|
+ fprintf(stderr, "%s: Not enough memory\n", infile);
|
||
|
+ (void) TIFFClose(out);
|
||
|
+ exit(-2);
|
||
|
+ }
|
||
|
if (resolution > 0) {
|
||
|
TIFFSetField(out, TIFFTAG_XRESOLUTION, resolution);
|
||
|
TIFFSetField(out, TIFFTAG_YRESOLUTION, resolution);
|
||
|
--
|
||
|
1.7.10.2
|
||
|
|