diff options
author | Patrick J Volkerding <volkerdi@slackware.com> | 2012-09-26 01:10:42 +0000 |
---|---|---|
committer | Eric Hameleers <alien@slackware.com> | 2018-05-31 22:51:55 +0200 |
commit | 9664bee729d487bcc0a0bc35859f8e13d5421c75 (patch) | |
tree | b428a16618e36ed864a8d76ea3435e19a452bf90 /source/l/libtiff/libtiff-CVE-2012-1173.patch | |
parent | 75a4a592e5ccda30715f93563d741b83e0dcf39e (diff) | |
download | current-9664bee729d487bcc0a0bc35859f8e13d5421c75.tar.gz |
Slackware 14.0slackware-14.0
Wed Sep 26 01:10:42 UTC 2012
Slackware 14.0 x86_64 stable is released!
We're perfectionists here at Slackware, so this release has been a long
time a-brewing. But we think you'll agree that it was worth the wait.
Slackware 14.0 combines modern components, ease of use, and flexible
configuration... our "KISS" philosophy demands it.
The ISOs are off to be replicated, a 6 CD-ROM 32-bit set and a
dual-sided
32-bit/64-bit x86/x86_64 DVD. Please consider supporting the Slackware
project by picking up a copy from store.slackware.com. We're taking
pre-orders now, and offer a discount if you sign up for a subscription.
Thanks to everyone who helped make this happen. The Slackware team, the
upstream developers, and (of course) the awesome Slackware user
community.
Have fun! :-)
Diffstat (limited to 'source/l/libtiff/libtiff-CVE-2012-1173.patch')
-rw-r--r-- | source/l/libtiff/libtiff-CVE-2012-1173.patch | 71 |
1 files changed, 71 insertions, 0 deletions
diff --git a/source/l/libtiff/libtiff-CVE-2012-1173.patch b/source/l/libtiff/libtiff-CVE-2012-1173.patch new file mode 100644 index 00000000..0ada700b --- /dev/null +++ b/source/l/libtiff/libtiff-CVE-2012-1173.patch @@ -0,0 +1,71 @@ +This patch is submitted to upstream for CVE-2012-1173 + + +diff -Naur tiff-3.9.5.orig/libtiff/tif_getimage.c tiff-3.9.5/libtiff/tif_getimage.c +--- tiff-3.9.5.orig/libtiff/tif_getimage.c 2010-07-08 12:17:59.000000000 -0400 ++++ tiff-3.9.5/libtiff/tif_getimage.c 2012-03-14 14:49:25.796728783 -0400 +@@ -673,18 +673,24 @@ + unsigned char* p2; + unsigned char* pa; + tsize_t tilesize; ++ tsize_t bufsize; + int32 fromskew, toskew; + int alpha = img->alpha; + uint32 nrow; + int ret = 1, flip; + + tilesize = TIFFTileSize(tif); +- buf = (unsigned char*) _TIFFmalloc((alpha?4:3)*tilesize); ++ bufsize = TIFFSafeMultiply(tsize_t,alpha?4:3,tilesize); ++ if (bufsize == 0) { ++ TIFFErrorExt(tif->tif_clientdata, TIFFFileName(tif), "Integer overflow in %s", "gtTileSeparate"); ++ return (0); ++ } ++ buf = (unsigned char*) _TIFFmalloc(bufsize); + if (buf == 0) { + TIFFErrorExt(tif->tif_clientdata, TIFFFileName(tif), "No space for tile buffer"); + return (0); + } +- _TIFFmemset(buf, 0, (alpha?4:3)*tilesize); ++ _TIFFmemset(buf, 0, bufsize); + p0 = buf; + p1 = p0 + tilesize; + p2 = p1 + tilesize; +@@ -880,17 +886,23 @@ + uint32 rowsperstrip, offset_row; + uint32 imagewidth = img->width; + tsize_t stripsize; ++ tsize_t bufsize; + int32 fromskew, toskew; + int alpha = img->alpha; + int ret = 1, flip; + + stripsize = TIFFStripSize(tif); +- p0 = buf = (unsigned char *)_TIFFmalloc((alpha?4:3)*stripsize); ++ bufsize = TIFFSafeMultiply(tsize_t,alpha?4:3,stripsize); ++ if (bufsize == 0) { ++ TIFFErrorExt(tif->tif_clientdata, TIFFFileName(tif), "Integer overflow in %s", "gtStripSeparate"); ++ return (0); ++ } ++ p0 = buf = (unsigned char *)_TIFFmalloc(bufsize); + if (buf == 0) { + TIFFErrorExt(tif->tif_clientdata, TIFFFileName(tif), "No space for tile buffer"); + return (0); + } +- _TIFFmemset(buf, 0, (alpha?4:3)*stripsize); ++ _TIFFmemset(buf, 0, bufsize); + p1 = p0 + stripsize; + p2 = p1 + stripsize; + pa = (alpha?(p2+stripsize):NULL); +diff -Naur tiff-3.9.5.orig/libtiff/tiffiop.h tiff-3.9.5/libtiff/tiffiop.h +--- tiff-3.9.5.orig/libtiff/tiffiop.h 2011-03-28 09:43:43.000000000 -0400 ++++ tiff-3.9.5/libtiff/tiffiop.h 2012-03-14 14:49:25.797728754 -0400 +@@ -246,7 +246,7 @@ + #define TIFFroundup(x, y) (TIFFhowmany(x,y)*(y)) + + /* Safe multiply which returns zero if there is an integer overflow */ +-#define TIFFSafeMultiply(t,v,m) ((((t)m != (t)0) && (((t)((v*m)/m)) == (t)v)) ? (t)(v*m) : (t)0) ++#define TIFFSafeMultiply(t,v,m) ((((t)(m) != (t)0) && (((t)(((v)*(m))/(m))) == (t)(v))) ? (t)((v)*(m)) : (t)0) + + #define TIFFmax(A,B) ((A)>(B)?(A):(B)) + #define TIFFmin(A,B) ((A)<(B)?(A):(B)) |