libtiff/libtiff-CVE-2019-7663.patch

From 67c11eb5abaf36445650fac968667b62a3ccd0bb Mon Sep 17 00:00:00 2001
From: Thomas Bernard <miniupnp@free.fr>
Date: Mon, 11 Feb 2019 10:05:33 +0100
Subject: [PATCH] check that (Tile Width)*(Samples/Pixel) do no overflow

fixes bug 2833
---
 tools/tiffcp.c | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/tools/tiffcp.c b/tools/tiffcp.c
index 2f406e2..f0ee2c0 100644
--- a/tools/tiffcp.c
+++ b/tools/tiffcp.c
@@ -1408,7 +1408,7 @@ DECLAREreadFunc(readSeparateTilesIntoBuffer)
 	int status = 1;
 	uint32 imagew = TIFFRasterScanlineSize(in);
 	uint32 tilew = TIFFTileRowSize(in);
-	int iskew  = imagew - tilew*spp;
+	int iskew;
 	tsize_t tilesize = TIFFTileSize(in);
 	tdata_t tilebuf;
 	uint8* bufp = (uint8*) buf;
@@ -1416,6 +1416,12 @@ DECLAREreadFunc(readSeparateTilesIntoBuffer)
 	uint32 row;
 	uint16 bps = 0, bytes_per_sample;
 
+	if (spp > (0x7fffffff / tilew))
+	{
+		TIFFError(TIFFFileName(in), "Error, cannot handle that much samples per tile row (Tile Width * Samples/Pixel)");
+		return 0;
+	}
+	iskew = imagew - tilew*spp;
 	tilebuf = _TIFFmalloc(tilesize);
 	if (tilebuf == 0)
 		return 0;
-- 
2.17.2
Fix CVE-2019-7663 (#1677529) 2019-02-15 13:19:50 +00:00			`From 67c11eb5abaf36445650fac968667b62a3ccd0bb Mon Sep 17 00:00:00 2001`
			`From: Thomas Bernard <miniupnp@free.fr>`
			`Date: Mon, 11 Feb 2019 10:05:33 +0100`
			`Subject: [PATCH] check that (Tile Width)*(Samples/Pixel) do no overflow`

			`fixes bug 2833`
			`---`
			`tools/tiffcp.c \| 8 +++++++-`
			`1 file changed, 7 insertions(+), 1 deletion(-)`

			`diff --git a/tools/tiffcp.c b/tools/tiffcp.c`
			`index 2f406e2..f0ee2c0 100644`
			`--- a/tools/tiffcp.c`
			`+++ b/tools/tiffcp.c`
			`@@ -1408,7 +1408,7 @@ DECLAREreadFunc(readSeparateTilesIntoBuffer)`
			`int status = 1;`
			`uint32 imagew = TIFFRasterScanlineSize(in);`
			`uint32 tilew = TIFFTileRowSize(in);`
			`- int iskew = imagew - tilew*spp;`
			`+ int iskew;`
			`tsize_t tilesize = TIFFTileSize(in);`
			`tdata_t tilebuf;`
			`uint8* bufp = (uint8*) buf;`
			`@@ -1416,6 +1416,12 @@ DECLAREreadFunc(readSeparateTilesIntoBuffer)`
			`uint32 row;`
			`uint16 bps = 0, bytes_per_sample;`

			`+ if (spp > (0x7fffffff / tilew))`
			`+ {`
			`+ TIFFError(TIFFFileName(in), "Error, cannot handle that much samples per tile row (Tile Width * Samples/Pixel)");`
			`+ return 0;`
			`+ }`
			`+ iskew = imagew - tilew*spp;`
			`tilebuf = _TIFFmalloc(tilesize);`
			`if (tilebuf == 0)`
			`return 0;`
			`--`
			`2.17.2`