* [gentoo-commits] gentoo-x86 commit in media-libs/tiff/files: tiff-3.9.2-CVE-2009-2347.patch
@ 2010-02-26 20:31 99% Samuli Suominen (ssuominen)
0 siblings, 0 replies; 1+ results
From: Samuli Suominen (ssuominen) @ 2010-02-26 20:31 UTC (permalink / raw
To: gentoo-commits
ssuominen 10/02/26 20:31:34
Added: tiff-3.9.2-CVE-2009-2347.patch
Log:
Fix CVE-2009-2347 again wrt security #307001.
(Portage version: 2.2_rc63/cvs/Linux x86_64)
Revision Changes Path
1.1 media-libs/tiff/files/tiff-3.9.2-CVE-2009-2347.patch
file : http://sources.gentoo.org/viewcvs.py/gentoo-x86/media-libs/tiff/files/tiff-3.9.2-CVE-2009-2347.patch?rev=1.1&view=markup
plain: http://sources.gentoo.org/viewcvs.py/gentoo-x86/media-libs/tiff/files/tiff-3.9.2-CVE-2009-2347.patch?rev=1.1&content-type=text/plain
Index: tiff-3.9.2-CVE-2009-2347.patch
===================================================================
http://bugs.gentoo.org/show_bug.cgi?id=307001
http://bugzilla.maptools.org/show_bug.cgi?id=2079
--- tools/tiff2rgba.c
+++ tools/tiff2rgba.c
@@ -125,6 +125,17 @@
return (0);
}
+static tsize_t
+multiply(tsize_t m1, tsize_t m2)
+{
+ tsize_t prod = m1 * m2;
+
+ if (m1 && prod / m1 != m2)
+ prod = 0; /* overflow */
+
+ return prod;
+}
+
static int
cvt_by_tile( TIFF *in, TIFF *out )
@@ -134,6 +145,7 @@
uint32 tile_width, tile_height;
uint32 row, col;
uint32 *wrk_line;
+ tsize_t raster_size;
int ok = 1;
TIFFGetField(in, TIFFTAG_IMAGEWIDTH, &width);
@@ -151,7 +163,14 @@
/*
* Allocate tile buffer
*/
- raster = (uint32*)_TIFFmalloc(tile_width * tile_height * sizeof (uint32));
+ raster_size = multiply(multiply(tile_width, tile_height), sizeof (uint32));
+ if (!raster_size) {
+ TIFFError(TIFFFileName(in),
+ "Can't allocate buffer for raster of size %lux%lu",
+ (unsigned long) tile_width, (unsigned long) tile_height);
+ return (0);
+ }
+ raster = (uint32*)_TIFFmalloc(raster_size);
if (raster == 0) {
TIFFError(TIFFFileName(in), "No space for raster buffer");
return (0);
@@ -159,7 +178,7 @@
/*
* Allocate a scanline buffer for swapping during the vertical
- * mirroring pass.
+ * mirroring pass. (Request can't overflow given prior checks.)
*/
wrk_line = (uint32*)_TIFFmalloc(tile_width * sizeof (uint32));
if (!wrk_line) {
@@ -236,6 +255,7 @@
uint32 width, height; /* image width & height */
uint32 row;
uint32 *wrk_line;
+ tsize_t raster_size;
int ok = 1;
TIFFGetField(in, TIFFTAG_IMAGEWIDTH, &width);
@@ -251,7 +271,14 @@
/*
* Allocate strip buffer
*/
- raster = (uint32*)_TIFFmalloc(width * rowsperstrip * sizeof (uint32));
+ raster_size = multiply(multiply(width, rowsperstrip), sizeof (uint32));
+ if (!raster_size) {
+ TIFFError(TIFFFileName(in),
+ "Can't allocate buffer for raster of size %lux%lu",
+ (unsigned long) width, (unsigned long) rowsperstrip);
+ return (0);
+ }
+ raster = (uint32*)_TIFFmalloc(raster_size);
if (raster == 0) {
TIFFError(TIFFFileName(in), "No space for raster buffer");
return (0);
@@ -259,7 +286,7 @@
/*
* Allocate a scanline buffer for swapping during the vertical
- * mirroring pass.
+ * mirroring pass. (Request can't overflow given prior checks.)
*/
wrk_line = (uint32*)_TIFFmalloc(width * sizeof (uint32));
if (!wrk_line) {
^ permalink raw reply [relevance 99%]
Results 1-1 of 1 | reverse | options above
-- pct% links below jump to the message on this page, permalinks otherwise --
2010-02-26 20:31 99% [gentoo-commits] gentoo-x86 commit in media-libs/tiff/files: tiff-3.9.2-CVE-2009-2347.patch Samuli Suominen (ssuominen)
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox