# --- SDE-COPYRIGHT-NOTE-BEGIN --- # This copyright note is auto-generated by ./scripts/Create-CopyPatch. # # Filename: package/.../libtiff/libtiff-4.0.3-0100-CVE-2012-4564.patch # Copyright (C) 2013 The OpenSDE Project # # More information can be found in the files COPYING and README. # # This patch file is dual-licensed. It is available under the license the # patched project is licensed under, as long as it is an OpenSource license # as defined at http://www.opensource.org/ (e.g. BSD, X11) or under the terms # of the GNU General Public License as published by the Free Software # Foundation; either version 2 of the License, or (at your option) any later # version. # --- SDE-COPYRIGHT-NOTE-END --- From fd1356f7003d47cf59392679c08a2dacc556bce4 Mon Sep 17 00:00:00 2001 From: fwarmerdam Date: Fri, 2 Nov 2012 05:13:24 +0000 Subject: [PATCH] ppm2tiff: fix zero size buffer exploit (CVE-2012-4564) original commit message: fix zero size buffer exploit (CVE-2012-4564) in ppm2tiff original ChangeLog entry: ---------------------------------------------------------------------------- 2012-11-01 Frank Warmerdam * tools/ppm2tiff.c: avoid zero size buffer vulnerability. CVE-2012-4564 - Thanks to Huzaifa Sidhpurwala of the Red Hat Security Response team for the fix. ---------------------------------------------------------------------------- original commit message: Improve previous patch for CVE-2012-4564. original ChangeLog entry: ---------------------------------------------------------------------------- 2012-12-10 Tom Lane * tools/ppm2tiff.c: Improve previous patch for CVE-2012-4564: check the linebytes calculation too, get the max() calculation straight, avoid redundant error messages, check for malloc failure. ---------------------------------------------------------------------------- diff --git a/tools/ppm2tiff.c b/tools/ppm2tiff.c index 8910e76..d2f72a2 100644 --- a/tools/ppm2tiff.c +++ b/tools/ppm2tiff.c @@ -72,6 +72,17 @@ BadPPM(char* file) exit(-2); } +static tmsize_t +multiply_ms(tmsize_t m1, tmsize_t m2) +{ + tmsize_t bytes = m1 * m2; + + if (m1 && bytes / m1 != m2) + bytes = 0; + + return bytes; +} + int main(int argc, char* argv[]) { @@ -79,7 +90,7 @@ main(int argc, char* argv[]) uint32 rowsperstrip = (uint32) -1; double resolution = -1; unsigned char *buf = NULL; - tsize_t linebytes = 0; + tmsize_t linebytes = 0; uint16 spp = 1; uint16 bpp = 8; TIFF *out; @@ -89,6 +100,7 @@ main(int argc, char* argv[]) int c; extern int optind; extern char* optarg; + tmsize_t scanline_size; if (argc < 2) { fprintf(stderr, "%s: Too few arguments\n", argv[0]); @@ -221,7 +233,8 @@ main(int argc, char* argv[]) } switch (bpp) { case 1: - linebytes = (spp * w + (8 - 1)) / 8; + /* if round-up overflows, result will be zero, OK */ + linebytes = (multiply_ms(spp, w) + (8 - 1)) / 8; if (rowsperstrip == (uint32) -1) { TIFFSetField(out, TIFFTAG_ROWSPERSTRIP, h); } else { @@ -230,15 +243,31 @@ main(int argc, char* argv[]) } break; case 8: - linebytes = spp * w; + linebytes = multiply_ms(spp, w); TIFFSetField(out, TIFFTAG_ROWSPERSTRIP, TIFFDefaultStripSize(out, rowsperstrip)); break; } - if (TIFFScanlineSize(out) > linebytes) + if (linebytes == 0) { + fprintf(stderr, "%s: scanline size overflow\n", infile); + (void) TIFFClose(out); + exit(-2); + } + scanline_size = TIFFScanlineSize(out); + if (scanline_size == 0) { + /* overflow - TIFFScanlineSize already printed a message */ + (void) TIFFClose(out); + exit(-2); + } + if (scanline_size < linebytes) buf = (unsigned char *)_TIFFmalloc(linebytes); else - buf = (unsigned char *)_TIFFmalloc(TIFFScanlineSize(out)); + buf = (unsigned char *)_TIFFmalloc(scanline_size); + if (buf == NULL) { + fprintf(stderr, "%s: Not enough memory\n", infile); + (void) TIFFClose(out); + exit(-2); + } if (resolution > 0) { TIFFSetField(out, TIFFTAG_XRESOLUTION, resolution); TIFFSetField(out, TIFFTAG_YRESOLUTION, resolution); -- 1.7.10.2