diff options
Diffstat (limited to 'source/l/libtiff/libtiff-CVE-2012-1173.patch')
-rw-r--r-- | source/l/libtiff/libtiff-CVE-2012-1173.patch | 71 |
1 files changed, 0 insertions, 71 deletions
diff --git a/source/l/libtiff/libtiff-CVE-2012-1173.patch b/source/l/libtiff/libtiff-CVE-2012-1173.patch deleted file mode 100644 index 0ada700b..00000000 --- a/source/l/libtiff/libtiff-CVE-2012-1173.patch +++ /dev/null @@ -1,71 +0,0 @@ -This patch is submitted to upstream for CVE-2012-1173 - - -diff -Naur tiff-3.9.5.orig/libtiff/tif_getimage.c tiff-3.9.5/libtiff/tif_getimage.c ---- tiff-3.9.5.orig/libtiff/tif_getimage.c 2010-07-08 12:17:59.000000000 -0400 -+++ tiff-3.9.5/libtiff/tif_getimage.c 2012-03-14 14:49:25.796728783 -0400 -@@ -673,18 +673,24 @@ - unsigned char* p2; - unsigned char* pa; - tsize_t tilesize; -+ tsize_t bufsize; - int32 fromskew, toskew; - int alpha = img->alpha; - uint32 nrow; - int ret = 1, flip; - - tilesize = TIFFTileSize(tif); -- buf = (unsigned char*) _TIFFmalloc((alpha?4:3)*tilesize); -+ bufsize = TIFFSafeMultiply(tsize_t,alpha?4:3,tilesize); -+ if (bufsize == 0) { -+ TIFFErrorExt(tif->tif_clientdata, TIFFFileName(tif), "Integer overflow in %s", "gtTileSeparate"); -+ return (0); -+ } -+ buf = (unsigned char*) _TIFFmalloc(bufsize); - if (buf == 0) { - TIFFErrorExt(tif->tif_clientdata, TIFFFileName(tif), "No space for tile buffer"); - return (0); - } -- _TIFFmemset(buf, 0, (alpha?4:3)*tilesize); -+ _TIFFmemset(buf, 0, bufsize); - p0 = buf; - p1 = p0 + tilesize; - p2 = p1 + tilesize; -@@ -880,17 +886,23 @@ - uint32 rowsperstrip, offset_row; - uint32 imagewidth = img->width; - tsize_t stripsize; -+ tsize_t bufsize; - int32 fromskew, toskew; - int alpha = img->alpha; - int ret = 1, flip; - - stripsize = TIFFStripSize(tif); -- p0 = buf = (unsigned char *)_TIFFmalloc((alpha?4:3)*stripsize); -+ bufsize = TIFFSafeMultiply(tsize_t,alpha?4:3,stripsize); -+ if (bufsize == 0) { -+ TIFFErrorExt(tif->tif_clientdata, TIFFFileName(tif), "Integer overflow in %s", "gtStripSeparate"); -+ return (0); -+ } -+ p0 = buf = (unsigned char *)_TIFFmalloc(bufsize); - if (buf == 0) { - TIFFErrorExt(tif->tif_clientdata, TIFFFileName(tif), "No space for tile buffer"); - return (0); - } -- _TIFFmemset(buf, 0, (alpha?4:3)*stripsize); -+ _TIFFmemset(buf, 0, bufsize); - p1 = p0 + stripsize; - p2 = p1 + stripsize; - pa = (alpha?(p2+stripsize):NULL); -diff -Naur tiff-3.9.5.orig/libtiff/tiffiop.h tiff-3.9.5/libtiff/tiffiop.h ---- tiff-3.9.5.orig/libtiff/tiffiop.h 2011-03-28 09:43:43.000000000 -0400 -+++ tiff-3.9.5/libtiff/tiffiop.h 2012-03-14 14:49:25.797728754 -0400 -@@ -246,7 +246,7 @@ - #define TIFFroundup(x, y) (TIFFhowmany(x,y)*(y)) - - /* Safe multiply which returns zero if there is an integer overflow */ --#define TIFFSafeMultiply(t,v,m) ((((t)m != (t)0) && (((t)((v*m)/m)) == (t)v)) ? (t)(v*m) : (t)0) -+#define TIFFSafeMultiply(t,v,m) ((((t)(m) != (t)0) && (((t)(((v)*(m))/(m))) == (t)(v))) ? (t)((v)*(m)) : (t)0) - - #define TIFFmax(A,B) ((A)>(B)?(A):(B)) - #define TIFFmin(A,B) ((A)<(B)?(A):(B)) |