rpms/libtiff
5
0
Fork 0
Code Issues Pull Requests Releases Activity
15d4f182c8
libtiff/libtiff-CVE-2018-12900_CVE-2019-7663.patch
Nikola Forró 0489e94ddf Fix CVE-2018-19210 (#1649387)
2019-06-12 17:18:50 +02:00

48 lines
1.2 KiB
Diff
Raw Blame History

From 2cd851937e887704aa6838b272015de93f48bb44 Mon Sep 17 00:00:00 2001
From: Thomas Bernard <miniupnp@free.fr>
Date: Mon, 11 Feb 2019 10:05:33 +0100
Subject: [PATCH] check that (Tile Width)*(Samples/Pixel) do no overflow
fixes bug 2833
---
tools/tiffcp.c | 9 ++++++++-
1 file changed, 8 insertions(+), 1 deletion(-)
diff --git a/tools/tiffcp.c b/tools/tiffcp.c
index 2f406e2..8c81aa4 100644
--- a/tools/tiffcp.c
+++ b/tools/tiffcp.c
@@ -41,6 +41,7 @@
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
+#include <limits.h>
#include <ctype.h>
@@ -1408,7 +1409,7 @@ DECLAREreadFunc(readSeparateTilesIntoBuffer)
int status = 1;
uint32 imagew = TIFFRasterScanlineSize(in);
uint32 tilew = TIFFTileRowSize(in);
- int iskew = imagew - tilew*spp;
+ int iskew;
tsize_t tilesize = TIFFTileSize(in);
tdata_t tilebuf;
uint8* bufp = (uint8*) buf;
@@ -1416,6 +1417,12 @@ DECLAREreadFunc(readSeparateTilesIntoBuffer)
uint32 row;
uint16 bps = 0, bytes_per_sample;
+ if (spp > (INT_MAX / tilew))
+ {
+ TIFFError(TIFFFileName(in), "Error, cannot handle that much samples per tile row (Tile Width * Samples/Pixel)");
+ return 0;
+ }
+ iskew = imagew - tilew*spp;
tilebuf = _TIFFmalloc(tilesize);
if (tilebuf == 0)
return 0;
--
2.21.0
Reference in New Issue View Git Blame Copy Permalink