mirror of
https://gitdl.cn/https://github.com/chakralinux/core.git
synced 2025-02-10 13:44:37 +08:00
38 lines
1.1 KiB
Diff
38 lines
1.1 KiB
Diff
Upstream patch for CVE-2012-4447. This also covers an out-of-bounds-read
|
|
possibility in the same file, which wasn't given a separate CVE.
|
|
|
|
|
|
diff -Naur tiff-3.9.4.orig/libtiff/tif_pixarlog.c tiff-3.9.4/libtiff/tif_pixarlog.c
|
|
--- tiff-3.9.4.orig/libtiff/tif_pixarlog.c 2010-06-08 14:50:42.000000000 -0400
|
|
+++ tiff-3.9.4/libtiff/tif_pixarlog.c 2012-12-10 15:50:14.421538317 -0500
|
|
@@ -641,6 +641,20 @@
|
|
return bytes;
|
|
}
|
|
|
|
+static tsize_t
|
|
+add_ms(tsize_t m1, tsize_t m2)
|
|
+{
|
|
+ tsize_t bytes = m1 + m2;
|
|
+
|
|
+ /* if either input is zero, assume overflow already occurred */
|
|
+ if (m1 == 0 || m2 == 0)
|
|
+ bytes = 0;
|
|
+ else if (bytes <= m1 || bytes <= m2)
|
|
+ bytes = 0;
|
|
+
|
|
+ return bytes;
|
|
+}
|
|
+
|
|
static int
|
|
PixarLogSetupDecode(TIFF* tif)
|
|
{
|
|
@@ -661,6 +675,8 @@
|
|
td->td_samplesperpixel : 1);
|
|
tbuf_size = multiply(multiply(multiply(sp->stride, td->td_imagewidth),
|
|
td->td_rowsperstrip), sizeof(uint16));
|
|
+ /* add one more stride in case input ends mid-stride */
|
|
+ tbuf_size = add_ms(tbuf_size, sizeof(uint16) * sp->stride);
|
|
if (tbuf_size == 0)
|
|
return (0);
|
|
sp->tbuf = (uint16 *) _TIFFmalloc(tbuf_size);
|