karasz
/
package-update
1
0
Fork 0
Code Issues Releases Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
11671 Commits
46 Branches
0 Tags
0 B
 
 
 
 
 
 
Tree: 07b56c5e10
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '07b56c5e10'
${ noResults }
package-update/graphic/libtiff/libtiff-4.0.3-0101-CVE-2012...

73 lines
2.5 KiB
Raw Blame History

# --- SDE-COPYRIGHT-NOTE-BEGIN ---
# This copyright note is auto-generated by ./scripts/Create-CopyPatch.
#
# Filename: package/.../libtiff/libtiff-4.0.3-0101-CVE-2012-4447.patch
# Copyright (C) 2013 The OpenSDE Project
#
# More information can be found in the files COPYING and README.
#
# This patch file is dual-licensed. It is available under the license the
# patched project is licensed under, as long as it is an OpenSource license
# as defined at http://www.opensource.org/ (e.g. BSD, X11) or under the terms
# of the GNU General Public License as published by the Free Software
# Foundation; either version 2 of the License, or (at your option) any later
# version.
# --- SDE-COPYRIGHT-NOTE-END ---
From ea1f57c13f083528b6b38350aa00c3c0f44a1c9d Mon Sep 17 00:00:00 2001
From: tgl <tgl>
Date: Mon, 10 Dec 2012 17:27:13 +0000
Subject: [PATCH] Detect integer overflow in addition when computing buffer
size.
original ChangeLog entry:
----------------------------------------------------------------------------
2012-12-10 Tom Lane <tgl@sss.pgh.pa.us>
* libtiff/tif_pixarlog.c: Improve previous patch for CVE-2012-4447
(to enlarge tbuf for possible partial stride at end) so that
overflow in the integer addition is detected. Per gripe from
Huzaifa Sidhpurwala.
----------------------------------------------------------------------------
diff --git a/libtiff/tif_pixarlog.c b/libtiff/tif_pixarlog.c
index 572dc7f..ba554e7 100644
--- a/libtiff/tif_pixarlog.c
+++ b/libtiff/tif_pixarlog.c
@@ -644,6 +644,20 @@ multiply_ms(tmsize_t m1, tmsize_t m2)
return bytes;
}
+static tmsize_t
+add_ms(tmsize_t m1, tmsize_t m2)
+{
+ tmsize_t bytes = m1 + m2;
+
+ /* if either input is zero, assume overflow already occurred */
+ if (m1 == 0 || m2 == 0)
+ bytes = 0;
+ else if (bytes <= m1 || bytes <= m2)
+ bytes = 0;
+
+ return bytes;
+}
+
static int
PixarLogFixupTags(TIFF* tif)
{
@@ -671,9 +685,11 @@ PixarLogSetupDecode(TIFF* tif)
td->td_samplesperpixel : 1);
tbuf_size = multiply_ms(multiply_ms(multiply_ms(sp->stride, td->td_imagewidth),
td->td_rowsperstrip), sizeof(uint16));
+ /* add one more stride in case input ends mid-stride */
+ tbuf_size = add_ms(tbuf_size, sizeof(uint16) * sp->stride);
if (tbuf_size == 0)
return (0); /* TODO: this is an error return without error report through TIFFErrorExt */
- sp->tbuf = (uint16 *) _TIFFmalloc(tbuf_size+sizeof(uint16)*sp->stride);
+ sp->tbuf = (uint16 *) _TIFFmalloc(tbuf_size);
if (sp->tbuf == NULL)
return (0);
if (sp->user_datafmt == PIXARLOGDATAFMT_UNKNOWN)
--
1.7.10.2