* [gentoo-commits] gentoo-x86 commit in media-libs/tiff/files: tiff-4.0.1-CVE-2012-1173.patch tiff-3.9.5-CVE-2012-1173.patch
@ 2012-04-06 17:39 Samuli Suominen (ssuominen)
0 siblings, 0 replies; only message in thread
From: Samuli Suominen (ssuominen) @ 2012-04-06 17:39 UTC (permalink / raw
To: gentoo-commits
ssuominen 12/04/06 17:39:21
Added: tiff-4.0.1-CVE-2012-1173.patch
tiff-3.9.5-CVE-2012-1173.patch
Log:
Upstream patch for CVE-2012-1173 wrt #410931 by Agostino Sarubbo
(Portage version: 2.2.0_alpha99/cvs/Linux x86_64)
Revision Changes Path
1.1 media-libs/tiff/files/tiff-4.0.1-CVE-2012-1173.patch
file : http://sources.gentoo.org/viewvc.cgi/gentoo-x86/media-libs/tiff/files/tiff-4.0.1-CVE-2012-1173.patch?rev=1.1&view=markup
plain: http://sources.gentoo.org/viewvc.cgi/gentoo-x86/media-libs/tiff/files/tiff-4.0.1-CVE-2012-1173.patch?rev=1.1&content-type=text/plain
Index: tiff-4.0.1-CVE-2012-1173.patch
===================================================================
Index: ChangeLog
===================================================================
RCS file: /cvs/maptools/cvsroot/libtiff/ChangeLog,v
retrieving revision 1.877
diff -r1.877 ChangeLog
0a1,5
> 2012-03-30 Frank Warmerdam <warmerdam@google.com>
>
> * tif_getimage.c: Fix size overflow (zdi-can-1221,CVE-2012-1173)
> care of Tom Lane @ Red Hat.
>
Index: libtiff/tif_getimage.c
===================================================================
RCS file: /cvs/maptools/cvsroot/libtiff/libtiff/tif_getimage.c,v
retrieving revision 1.78
diff -r1.78 tif_getimage.c
694a695
> tmsize_t bufsize;
702c703,708
< buf = (unsigned char*) _TIFFmalloc((alpha?4:3)*tilesize);
---
> bufsize = TIFFSafeMultiply(tmsize_t,alpha?4:3,tilesize);
> if (bufsize == 0) {
> TIFFErrorExt(tif->tif_clientdata, TIFFFileName(tif), "Integer overflow in %s", "gtTileSeparate");
> return (0);
> }
> buf = (unsigned char*) _TIFFmalloc(bufsize);
707c713
< _TIFFmemset(buf, 0, (alpha?4:3)*tilesize);
---
> _TIFFmemset(buf, 0, bufsize);
919a926
> tmsize_t bufsize;
925c932,937
< p0 = buf = (unsigned char *)_TIFFmalloc((alpha?4:3)*stripsize);
---
> bufsize = TIFFSafeMultiply(tmsize_t,alpha?4:3,stripsize);
> if (bufsize == 0) {
> TIFFErrorExt(tif->tif_clientdata, TIFFFileName(tif), "Integer overflow in %s", "gtStripSeparate");
> return (0);
> }
> p0 = buf = (unsigned char *)_TIFFmalloc(bufsize);
930c942
< _TIFFmemset(buf, 0, (alpha?4:3)*stripsize);
---
> _TIFFmemset(buf, 0, bufsize);
Index: libtiff/tiffiop.h
===================================================================
RCS file: /cvs/maptools/cvsroot/libtiff/libtiff/tiffiop.h,v
retrieving revision 1.82
diff -r1.82 tiffiop.h
253c253
< #define TIFFSafeMultiply(t,v,m) ((((t)m != (t)0) && (((t)((v*m)/m)) == (t)v)) ? (t)(v*m) : (t)0)
---
> #define TIFFSafeMultiply(t,v,m) ((((t)(m) != (t)0) && (((t)(((v)*(m))/(m))) == (t)(v))) ? (t)((v)*(m)) : (t)0)
1.1 media-libs/tiff/files/tiff-3.9.5-CVE-2012-1173.patch
file : http://sources.gentoo.org/viewvc.cgi/gentoo-x86/media-libs/tiff/files/tiff-3.9.5-CVE-2012-1173.patch?rev=1.1&view=markup
plain: http://sources.gentoo.org/viewvc.cgi/gentoo-x86/media-libs/tiff/files/tiff-3.9.5-CVE-2012-1173.patch?rev=1.1&content-type=text/plain
Index: tiff-3.9.5-CVE-2012-1173.patch
===================================================================
Index: ChangeLog
===================================================================
RCS file: /cvs/maptools/cvsroot/libtiff/ChangeLog,v
retrieving revision 1.602.2.141
diff -r1.602.2.141 ChangeLog
0a1,6
> 2012-03-30 Frank Warmerdam <warmerdam@google.com>
>
> * tif_getimage.c: Fix size overflow (zdi-can-1221,CVE-2012-1173)
> care of Tom Lane @ Red Hat.
>
>
Index: libtiff/tif_getimage.c
===================================================================
RCS file: /cvs/maptools/cvsroot/libtiff/libtiff/tif_getimage.c,v
retrieving revision 1.63.2.6
diff -r1.63.2.6 tif_getimage.c
675a676
> tsize_t bufsize;
682c683,688
< buf = (unsigned char*) _TIFFmalloc((alpha?4:3)*tilesize);
---
> bufsize = TIFFSafeMultiply(tsize_t,alpha?4:3,tilesize);
> if (bufsize == 0) {
> TIFFErrorExt(tif->tif_clientdata, TIFFFileName(tif), "Integer overflow in %s", "gtTileSeparate");
> return (0);
> }
> buf = (unsigned char*) _TIFFmalloc(bufsize);
687c693
< _TIFFmemset(buf, 0, (alpha?4:3)*tilesize);
---
> _TIFFmemset(buf, 0, bufsize);
882a889
> tsize_t bufsize;
888c895,900
< p0 = buf = (unsigned char *)_TIFFmalloc((alpha?4:3)*stripsize);
---
> bufsize = TIFFSafeMultiply(tsize_t,alpha?4:3,stripsize);
> if (bufsize == 0) {
> TIFFErrorExt(tif->tif_clientdata, TIFFFileName(tif), "Integer overflow in %s", "gtStripSeparate");
> return (0);
> }
> p0 = buf = (unsigned char *)_TIFFmalloc(bufsize);
893c905
< _TIFFmemset(buf, 0, (alpha?4:3)*stripsize);
---
> _TIFFmemset(buf, 0, bufsize);
Index: libtiff/tiffiop.h
===================================================================
RCS file: /cvs/maptools/cvsroot/libtiff/libtiff/tiffiop.h,v
retrieving revision 1.51.2.7
diff -r1.51.2.7 tiffiop.h
249c249
< #define TIFFSafeMultiply(t,v,m) ((((t)m != (t)0) && (((t)((v*m)/m)) == (t)v)) ? (t)(v*m) : (t)0)
---
> #define TIFFSafeMultiply(t,v,m) ((((t)(m) != (t)0) && (((t)(((v)*(m))/(m))) == (t)(v))) ? (t)((v)*(m)) : (t)0)
^ permalink raw reply [flat|nested] only message in thread
only message in thread, other threads:[~2012-04-06 17:39 UTC | newest]
Thread overview: (only message) (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2012-04-06 17:39 [gentoo-commits] gentoo-x86 commit in media-libs/tiff/files: tiff-4.0.1-CVE-2012-1173.patch tiff-3.9.5-CVE-2012-1173.patch Samuli Suominen (ssuominen)
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox