[gentoo-commits] gentoo-x86 commit in media-libs/tiff/files: tiff-3.9.2-CVE-2010-1411.patch

[gentoo-commits] gentoo-x86 commit in media-libs/tiff/files: tiff-3.9.2-CVE-2010-1411.patch

[Steve Arnold (nerdboy)]

nerdboy     10/07/18 21:18:15

  Added:                tiff-3.9.2-CVE-2010-1411.patch
  Log:
  Updated oldest version for CVE-2010-1411.
  (Portage version: 2.2_rc67/cvs/Linux x86_64)

Revision  Changes    Path
1.1                  media-libs/tiff/files/tiff-3.9.2-CVE-2010-1411.patch

file : http://sources.gentoo.org/viewvc.cgi/gentoo-x86/media-libs/tiff/files/tiff-3.9.2-CVE-2010-1411.patch?rev=1.1&view=markup
plain: http://sources.gentoo.org/viewvc.cgi/gentoo-x86/media-libs/tiff/files/tiff-3.9.2-CVE-2010-1411.patch?rev=1.1&content-type=text/plain

Index: tiff-3.9.2-CVE-2010-1411.patch
===================================================================
--- libtiff/tif_fax3.c.orig	2010-05-13 19:36:08.995479161 +0200
+++ libtiff/tif_fax3.c	2010-05-13 19:48:04.215467428 +0200
@@ -42,6 +42,7 @@
 #define	G3CODES
 #include "t4.h"
 #include <stdio.h>
+#include <stdint.h>
 
 /*
  * Compression+decompression state blocks are
@@ -493,9 +494,21 @@
 	    td->td_compression == COMPRESSION_CCITTFAX4
 	);
 
-	nruns = needsRefLine ? 2*TIFFroundup(rowpixels,32) : rowpixels;
+	uint64_t val64 = rowpixels;
+	if (needsRefLine)
+	{
+	val64 = 2*TIFFroundup(rowpixels,32);
+	if (val64 > 0xffffffff)
+		return (0);
+	}
+	nruns = (val64 &0xffffffff);
 	nruns += 3;
-	dsp->runs = (uint32*) _TIFFCheckMalloc(tif, 2*nruns, sizeof (uint32),
+	
+	val64 = 2*nruns+3;
+	if (val64 > 0xffffffff)
+		return (0);
+
+	dsp->runs = (uint32*) _TIFFCheckMalloc(tif, (val64 & 0xffffffff), sizeof (uint32),
 					  "for Group 3/4 run arrays");
 	if (dsp->runs == NULL)
 		return (0);