2022-06-16 05:07:26 +00:00
|
|
|
From 55cd158269c43c83c23636dc9197816b3b359aa4 Mon Sep 17 00:00:00 2001
|
2022-05-26 14:57:59 +00:00
|
|
|
From: Thomas Bernard <miniupnp@free.fr>
|
|
|
|
|
Date: Sat, 14 Nov 2020 12:53:01 +0000
|
2022-06-16 05:07:26 +00:00
|
|
|
Subject: [PATCH] (CVE-2020-35524) tiff2pdf.c: properly calculate datasize when
|
|
|
|
|
saving to JPEG YCbCr
|
2022-05-26 14:57:59 +00:00
|
|
|
|
|
|
|
|
fixes #220
|
2022-06-16 05:07:26 +00:00
|
|
|
|
|
|
|
|
(cherry picked from commit 7be2e452ddcf6d7abca88f41d3761e6edab72b22)
|
2022-05-26 14:57:59 +00:00
|
|
|
---
|
|
|
|
|
tools/tiff2pdf.c | 14 +++++++++++---
|
|
|
|
|
1 file changed, 11 insertions(+), 3 deletions(-)
|
|
|
|
|
|
|
|
|
|
diff --git a/tools/tiff2pdf.c b/tools/tiff2pdf.c
|
2022-06-16 05:07:26 +00:00
|
|
|
index ff7b9c22..a5db1f64 100644
|
2022-05-26 14:57:59 +00:00
|
|
|
--- a/tools/tiff2pdf.c
|
|
|
|
|
+++ b/tools/tiff2pdf.c
|
|
|
|
|
@@ -2049,9 +2049,17 @@ void t2p_read_tiff_size(T2P* t2p, TIFF* input){
|
|
|
|
|
#endif
|
|
|
|
|
(void) 0;
|
|
|
|
|
}
|
|
|
|
|
- k = checkMultiply64(TIFFScanlineSize(input), t2p->tiff_length, t2p);
|
|
|
|
|
- if(t2p->tiff_planar==PLANARCONFIG_SEPARATE){
|
|
|
|
|
- k = checkMultiply64(k, t2p->tiff_samplesperpixel, t2p);
|
|
|
|
|
+#ifdef JPEG_SUPPORT
|
|
|
|
|
+ if(t2p->pdf_compression == T2P_COMPRESS_JPEG
|
|
|
|
|
+ && t2p->tiff_photometric == PHOTOMETRIC_YCBCR) {
|
|
|
|
|
+ k = checkMultiply64(TIFFNumberOfStrips(input), TIFFStripSize(input), t2p);
|
|
|
|
|
+ } else
|
|
|
|
|
+#endif
|
|
|
|
|
+ {
|
|
|
|
|
+ k = checkMultiply64(TIFFScanlineSize(input), t2p->tiff_length, t2p);
|
|
|
|
|
+ if(t2p->tiff_planar==PLANARCONFIG_SEPARATE){
|
|
|
|
|
+ k = checkMultiply64(k, t2p->tiff_samplesperpixel, t2p);
|
|
|
|
|
+ }
|
|
|
|
|
}
|
|
|
|
|
if (k == 0) {
|
|
|
|
|
/* Assume we had overflow inside TIFFScanlineSize */
|
