0021-CVE-2016-3945.patch
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
From a9bb0f1406e9da35da4da13eabacb00d9cc2efcb Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Nikola=20Forr=C3=B3?= <nforro@redhat.com>
Date: Mon, 11 Jul 2016 16:05:49 +0200
Subject: [PATCH 5/8] Fix CVE-2016-3945
---
tools/tiff2rgba.c | 34 ++++++++++++++++++++++++++++++----
1 file changed, 30 insertions(+), 4 deletions(-)
diff --git a/tools/tiff2rgba.c b/tools/tiff2rgba.c
index 737167c..5228966 100644
--- a/tools/tiff2rgba.c
+++ b/tools/tiff2rgba.c
@@ -145,6 +145,7 @@ cvt_by_tile( TIFF *in, TIFF *out )
uint32 row, col;
uint32 *wrk_line;
int ok = 1;
+ uint32 rastersize, wrk_linesize;
TIFFGetField(in, TIFFTAG_IMAGEWIDTH, &width);
TIFFGetField(in, TIFFTAG_IMAGELENGTH, &height);
@@ -161,7 +162,13 @@ cvt_by_tile( TIFF *in, TIFF *out )
/*
* Allocate tile buffer
*/
- raster = (uint32*)_TIFFmalloc(tile_width * tile_height * sizeof (uint32));
+ rastersize = tile_width * tile_height * sizeof (uint32);
+ if (width != (tile_width / tile_height) / sizeof( uint32))
+ {
+ TIFFError(TIFFFileName(in), "Integer overflow when calculating raster buffer");
+ exit(-1);
+ }
+ raster = (uint32*)_TIFFmalloc(rastersize);
if (raster == 0) {
TIFFError(TIFFFileName(in), "No space for raster buffer");
return (0);
@@ -171,7 +178,13 @@ cvt_by_tile( TIFF *in, TIFF *out )
* Allocate a scanline buffer for swapping during the vertical
* mirroring pass.
*/
- wrk_line = (uint32*)_TIFFmalloc(tile_width * sizeof (uint32));
+ wrk_linesize = tile_width * sizeof (uint32);
+ if (wrk_linesize != tile_width / sizeof (uint32))
+ {
+ TIFFError(TIFFFileName(in), "Integer overflow when calculating wrk_line buffer");
+ exit(-1);
+ }
+ wrk_line = (uint32*)_TIFFmalloc(wrk_linesize);
if (!wrk_line) {
TIFFError(TIFFFileName(in), "No space for raster scanline buffer");
ok = 0;
@@ -247,6 +260,7 @@ cvt_by_strip( TIFF *in, TIFF *out )
uint32 row;
uint32 *wrk_line;
int ok = 1;
+ uint32 rastersize, wrk_linesize;
TIFFGetField(in, TIFFTAG_IMAGEWIDTH, &width);
TIFFGetField(in, TIFFTAG_IMAGELENGTH, &height);
@@ -261,7 +275,13 @@ cvt_by_strip( TIFF *in, TIFF *out )
/*
* Allocate strip buffer
*/
- raster = (uint32*)_TIFFmalloc(width * rowsperstrip * sizeof (uint32));
+ rastersize = width * rowsperstrip * sizeof (uint32);
+ if (width != (rastersize / rowsperstrip) / sizeof( uint32))
+ {
+ TIFFError(TIFFFileName(in), "Integer overflow when calculating raster buffer");
+ exit(-1);
+ }
+ raster = (uint32*)_TIFFmalloc(rastersize);
if (raster == 0) {
TIFFError(TIFFFileName(in), "No space for raster buffer");
return (0);
@@ -271,7 +291,13 @@ cvt_by_strip( TIFF *in, TIFF *out )
* Allocate a scanline buffer for swapping during the vertical
* mirroring pass.
*/
- wrk_line = (uint32*)_TIFFmalloc(width * sizeof (uint32));
+ wrk_linesize = width * sizeof (uint32);
+ if (wrk_linesize != width / sizeof (uint32))
+ {
+ TIFFError(TIFFFileName(in), "Integer overflow when calculating wrk_line buffer");
+ exit(-1);
+ }
+ wrk_line = (uint32*)_TIFFmalloc(wrk_linesize);
if (!wrk_line) {
TIFFError(TIFFFileName(in), "No space for raster scanline buffer");
ok = 0;
--
2.7.4