# --- SDE-COPYRIGHT-NOTE-BEGIN --- # This copyright note is auto-generated by ./scripts/Create-CopyPatch. # # Filename: package/.../libtiff/libtiff-4.0.3-0101-CVE-2012-4447.patch # Copyright (C) 2013 The OpenSDE Project # # More information can be found in the files COPYING and README. # # This patch file is dual-licensed. It is available under the license the # patched project is licensed under, as long as it is an OpenSource license # as defined at http://www.opensource.org/ (e.g. BSD, X11) or under the terms # of the GNU General Public License as published by the Free Software # Foundation; either version 2 of the License, or (at your option) any later # version. # --- SDE-COPYRIGHT-NOTE-END --- From ea1f57c13f083528b6b38350aa00c3c0f44a1c9d Mon Sep 17 00:00:00 2001 From: tgl Date: Mon, 10 Dec 2012 17:27:13 +0000 Subject: [PATCH] Detect integer overflow in addition when computing buffer size. original ChangeLog entry: ---------------------------------------------------------------------------- 2012-12-10 Tom Lane * libtiff/tif_pixarlog.c: Improve previous patch for CVE-2012-4447 (to enlarge tbuf for possible partial stride at end) so that overflow in the integer addition is detected. Per gripe from Huzaifa Sidhpurwala. ---------------------------------------------------------------------------- diff --git a/libtiff/tif_pixarlog.c b/libtiff/tif_pixarlog.c index 572dc7f..ba554e7 100644 --- a/libtiff/tif_pixarlog.c +++ b/libtiff/tif_pixarlog.c @@ -644,6 +644,20 @@ multiply_ms(tmsize_t m1, tmsize_t m2) return bytes; } +static tmsize_t +add_ms(tmsize_t m1, tmsize_t m2) +{ + tmsize_t bytes = m1 + m2; + + /* if either input is zero, assume overflow already occurred */ + if (m1 == 0 || m2 == 0) + bytes = 0; + else if (bytes <= m1 || bytes <= m2) + bytes = 0; + + return bytes; +} + static int PixarLogFixupTags(TIFF* tif) { @@ -671,9 +685,11 @@ PixarLogSetupDecode(TIFF* tif) td->td_samplesperpixel : 1); tbuf_size = multiply_ms(multiply_ms(multiply_ms(sp->stride, td->td_imagewidth), td->td_rowsperstrip), sizeof(uint16)); + /* add one more stride in case input ends mid-stride */ + tbuf_size = add_ms(tbuf_size, sizeof(uint16) * sp->stride); if (tbuf_size == 0) return (0); /* TODO: this is an error return without error report through TIFFErrorExt */ - sp->tbuf = (uint16 *) _TIFFmalloc(tbuf_size+sizeof(uint16)*sp->stride); + sp->tbuf = (uint16 *) _TIFFmalloc(tbuf_size); if (sp->tbuf == NULL) return (0); if (sp->user_datafmt == PIXARLOGDATAFMT_UNKNOWN) -- 1.7.10.2