This is a portion of the patch we were carrying for CVE-2009-2347 in 3.8.2. Unfortunately the upstream fix in 3.9.2 is incomplete, so we still need this part. Reported upstream at http://bugzilla.maptools.org/show_bug.cgi?id=2079 diff -Naur tiff-3.9.2.orig/tools/tiff2rgba.c tiff-3.9.2/tools/tiff2rgba.c --- tiff-3.9.2.orig/tools/tiff2rgba.c 2009-08-20 16:23:53.000000000 -0400 +++ tiff-3.9.2/tools/tiff2rgba.c 2009-12-03 12:19:07.000000000 -0500 @@ -125,6 +125,17 @@ return (0); } +static tsize_t +multiply(tsize_t m1, tsize_t m2) +{ + tsize_t prod = m1 * m2; + + if (m1 && prod / m1 != m2) + prod = 0; /* overflow */ + + return prod; +} + static int cvt_by_tile( TIFF *in, TIFF *out ) @@ -134,6 +145,7 @@ uint32 tile_width, tile_height; uint32 row, col; uint32 *wrk_line; + tsize_t raster_size; int ok = 1; TIFFGetField(in, TIFFTAG_IMAGEWIDTH, &width); @@ -151,7 +163,14 @@ /* * Allocate tile buffer */ - raster = (uint32*)_TIFFmalloc(tile_width * tile_height * sizeof (uint32)); + raster_size = multiply(multiply(tile_width, tile_height), sizeof (uint32)); + if (!raster_size) { + TIFFError(TIFFFileName(in), + "Can't allocate buffer for raster of size %lux%lu", + (unsigned long) tile_width, (unsigned long) tile_height); + return (0); + } + raster = (uint32*)_TIFFmalloc(raster_size); if (raster == 0) { TIFFError(TIFFFileName(in), "No space for raster buffer"); return (0); @@ -159,7 +178,7 @@ /* * Allocate a scanline buffer for swapping during the vertical - * mirroring pass. + * mirroring pass. (Request can't overflow given prior checks.) */ wrk_line = (uint32*)_TIFFmalloc(tile_width * sizeof (uint32)); if (!wrk_line) { @@ -236,6 +255,7 @@ uint32 width, height; /* image width & height */ uint32 row; uint32 *wrk_line; + tsize_t raster_size; int ok = 1; TIFFGetField(in, TIFFTAG_IMAGEWIDTH, &width); @@ -251,7 +271,14 @@ /* * Allocate strip buffer */ - raster = (uint32*)_TIFFmalloc(width * rowsperstrip * sizeof (uint32)); + raster_size = multiply(multiply(width, rowsperstrip), sizeof (uint32)); + if (!raster_size) { + TIFFError(TIFFFileName(in), + "Can't allocate buffer for raster of size %lux%lu", + (unsigned long) width, (unsigned long) rowsperstrip); + return (0); + } + raster = (uint32*)_TIFFmalloc(raster_size); if (raster == 0) { TIFFError(TIFFFileName(in), "No space for raster buffer"); return (0); @@ -259,7 +286,7 @@ /* * Allocate a scanline buffer for swapping during the vertical - * mirroring pass. + * mirroring pass. (Request can't overflow given prior checks.) */ wrk_line = (uint32*)_TIFFmalloc(width * sizeof (uint32)); if (!wrk_line) {