0018-CVE-2015-8668.patch
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
diff --git a/tools/bmp2tiff.c b/tools/bmp2tiff.c
index 376f4e6..c747c13 100644
--- a/tools/bmp2tiff.c
+++ b/tools/bmp2tiff.c
@@ -614,19 +614,27 @@ main(int argc, char* argv[])
|| info_hdr.iCompression == BMPC_RLE4 ) {
uint32 i, j, k, runlength;
uint32 compr_size, uncompr_size;
+ uint32 bits = 0;
unsigned char *comprbuf;
unsigned char *uncomprbuf;
compr_size = file_hdr.iSize - file_hdr.iOffBits;
- uncompr_size = width * length;
- /* Detect int overflow */
- if( uncompr_size / width != length )
- {
- TIFFError(infilename,
- "Invalid dimensions of BMP file" );
- close(fd);
- return -1;
- }
+
+ bits = info_hdr.iBitCount;
+
+ if (bits > 8) // bit depth is > 8bit, adjust size
+ {
+ uncompr_size = width * length * (bits / 8);
+ /* Detect int overflow */
+ if (uncompr_size / width / (bits / 8) != length) {
+ TIFFError(infilename,
+ "Invalid dimensions of BMP file");
+ close(fd);
+ return -1;
+ }
+ }
+ else
+ uncompr_size = width * length;
comprbuf = (unsigned char *) _TIFFmalloc( compr_size );
if (!comprbuf) {
TIFFError(infilename,