Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status
summaryrefslogtreecommitdiff
path: root/media-libs/tiff/files/tiff-3.9.7-CVE-2012-4564.patch
diff options
context:
space:
mode:
Diffstat (limited to 'media-libs/tiff/files/tiff-3.9.7-CVE-2012-4564.patch')
-rw-r--r--media-libs/tiff/files/tiff-3.9.7-CVE-2012-4564.patch77
1 files changed, 77 insertions, 0 deletions
diff --git a/media-libs/tiff/files/tiff-3.9.7-CVE-2012-4564.patch b/media-libs/tiff/files/tiff-3.9.7-CVE-2012-4564.patch
new file mode 100644
index 000000000000..98a6e6c4409d
--- /dev/null
+++ b/media-libs/tiff/files/tiff-3.9.7-CVE-2012-4564.patch
@@ -0,0 +1,77 @@
+Upstream patch for CVE-2012-4564.
+
+
+diff -Naur tiff-3.9.4.orig/tools/ppm2tiff.c tiff-3.9.4/tools/ppm2tiff.c
+--- tiff-3.9.4.orig/tools/ppm2tiff.c 2010-06-08 14:50:44.000000000 -0400
++++ tiff-3.9.4/tools/ppm2tiff.c 2012-12-10 16:16:05.154045877 -0500
+@@ -68,6 +68,17 @@
+ exit(-2);
+ }
+
++static tsize_t
++multiply_ms(tsize_t m1, tsize_t m2)
++{
++ tsize_t bytes = m1 * m2;
++
++ if (m1 && bytes / m1 != m2)
++ bytes = 0;
++
++ return bytes;
++}
++
+ int
+ main(int argc, char* argv[])
+ {
+@@ -85,6 +96,7 @@
+ int c;
+ extern int optind;
+ extern char* optarg;
++ tsize_t scanline_size;
+
+ if (argc < 2) {
+ fprintf(stderr, "%s: Too few arguments\n", argv[0]);
+@@ -217,7 +229,8 @@
+ }
+ switch (bpp) {
+ case 1:
+- linebytes = (spp * w + (8 - 1)) / 8;
++ /* if round-up overflows, result will be zero, OK */
++ linebytes = (multiply_ms(spp, w) + (8 - 1)) / 8;
+ if (rowsperstrip == (uint32) -1) {
+ TIFFSetField(out, TIFFTAG_ROWSPERSTRIP, h);
+ } else {
+@@ -226,15 +239,31 @@
+ }
+ break;
+ case 8:
+- linebytes = spp * w;
++ linebytes = multiply_ms(spp, w);
+ TIFFSetField(out, TIFFTAG_ROWSPERSTRIP,
+ TIFFDefaultStripSize(out, rowsperstrip));
+ break;
+ }
+- if (TIFFScanlineSize(out) > linebytes)
++ if (linebytes == 0) {
++ fprintf(stderr, "%s: scanline size overflow\n", infile);
++ (void) TIFFClose(out);
++ exit(-2);
++ }
++ scanline_size = TIFFScanlineSize(out);
++ if (scanline_size == 0) {
++ /* overflow - TIFFScanlineSize already printed a message */
++ (void) TIFFClose(out);
++ exit(-2);
++ }
++ if (scanline_size < linebytes)
+ buf = (unsigned char *)_TIFFmalloc(linebytes);
+ else
+- buf = (unsigned char *)_TIFFmalloc(TIFFScanlineSize(out));
++ buf = (unsigned char *)_TIFFmalloc(scanline_size);
++ if (buf == NULL) {
++ fprintf(stderr, "%s: Not enough memory\n", infile);
++ (void) TIFFClose(out);
++ exit(-2);
++ }
+ if (resolution > 0) {
+ TIFFSetField(out, TIFFTAG_XRESOLUTION, resolution);
+ TIFFSetField(out, TIFFTAG_YRESOLUTION, resolution);