| Upstream patch for CVE-2012-4447. |
| |
| |
| diff -Naur tiff-4.0.3.orig/libtiff/tif_pixarlog.c tiff-4.0.3/libtiff/tif_pixarlog.c |
| --- tiff-4.0.3.orig/libtiff/tif_pixarlog.c 2012-07-04 15:26:31.000000000 -0400 |
| +++ tiff-4.0.3/libtiff/tif_pixarlog.c 2012-12-12 16:43:18.931315699 -0500 |
| @@ -644,6 +644,20 @@ |
| return bytes; |
| } |
| |
| +static tmsize_t |
| +add_ms(tmsize_t m1, tmsize_t m2) |
| +{ |
| + tmsize_t bytes = m1 + m2; |
| + |
| + /* if either input is zero, assume overflow already occurred */ |
| + if (m1 == 0 || m2 == 0) |
| + bytes = 0; |
| + else if (bytes <= m1 || bytes <= m2) |
| + bytes = 0; |
| + |
| + return bytes; |
| +} |
| + |
| static int |
| PixarLogFixupTags(TIFF* tif) |
| { |
| @@ -671,9 +685,11 @@ |
| td->td_samplesperpixel : 1); |
| tbuf_size = multiply_ms(multiply_ms(multiply_ms(sp->stride, td->td_imagewidth), |
| td->td_rowsperstrip), sizeof(uint16)); |
| + /* add one more stride in case input ends mid-stride */ |
| + tbuf_size = add_ms(tbuf_size, sizeof(uint16) * sp->stride); |
| if (tbuf_size == 0) |
| return (0); /* TODO: this is an error return without error report through TIFFErrorExt */ |
| - sp->tbuf = (uint16 *) _TIFFmalloc(tbuf_size+sizeof(uint16)*sp->stride); |
| + sp->tbuf = (uint16 *) _TIFFmalloc(tbuf_size); |
| if (sp->tbuf == NULL) |
| return (0); |
| if (sp->user_datafmt == PIXARLOGDATAFMT_UNKNOWN) |