rpms/libtiff
7
0
Fork 0
Code Issues Pull Requests Releases Activity
c3eccd2c64
libtiff/libtiff-CVE-2018-10779.patch

25 lines
1.1 KiB
Diff
Raw Normal View History

Fix CVE-2018-10779 (#1577316)
2018-10-11 11:09:09 +00:00
commit 14ffb69a5892fcfff6c72e73af74565467ab6ae9
Author: Even Rouault <even.rouault@spatialys.com>
Date: Wed Aug 15 16:34:40 2018 +0200
TIFFSetupStrips(): avoid potential uint32 overflow on 32-bit systems with large number of strips. Probably relates to http://bugzilla.maptools.org/show_bug.cgi?id=2788 / CVE-2018-10779
diff --git a/libtiff/tif_write.c b/libtiff/tif_write.c
index 4c216ec..208a2ee 100644
--- a/libtiff/tif_write.c
+++ b/libtiff/tif_write.c
@@ -540,9 +540,11 @@ TIFFSetupStrips(TIFF* tif)
if (td->td_planarconfig == PLANARCONFIG_SEPARATE)
td->td_stripsperimage /= td->td_samplesperpixel;
td->td_stripoffset = (uint64 *)
- _TIFFmalloc(td->td_nstrips * sizeof (uint64));
+ _TIFFCheckMalloc(tif, td->td_nstrips, sizeof (uint64),
+ "for \"StripOffsets\" array");
td->td_stripbytecount = (uint64 *)
- _TIFFmalloc(td->td_nstrips * sizeof (uint64));
+ _TIFFCheckMalloc(tif, td->td_nstrips, sizeof (uint64),
+ "for \"StripByteCounts\" array");
if (td->td_stripoffset == NULL || td->td_stripbytecount == NULL)
return (0);
/*
Reference in New Issue Copy Permalink