Go to:
Gentoo Home
Documentation
Forums
Lists
Bugs
Planet
Store
Wiki
Get Gentoo!
Gentoo's Bugzilla – Attachment 197131 Details for
Bug 276988
<media-libs/tiff-3.8.2-r8 tools heap-based buffer overflow (CVE-2009-2347)
Home
|
New
–
[Ex]
|
Browse
|
Search
|
Privacy Policy
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
tiff-3.8.2-CVE-2009-2347.patch
tiff-3.8.2-CVE-2009-2347.patch (text/plain), 3.37 KB, created by
Robert Buchholz (RETIRED)
on 2009-07-07 23:48:42 UTC
(
hide
)
Description:
tiff-3.8.2-CVE-2009-2347.patch
Filename:
MIME Type:
Creator:
Robert Buchholz (RETIRED)
Created:
2009-07-07 23:48:42 UTC
Size:
3.37 KB
patch
obsolete
>Index: tiff-3.8.2/tools/rgb2ycbcr.c >=================================================================== >--- tiff-3.8.2.orig/tools/rgb2ycbcr.c >+++ tiff-3.8.2/tools/rgb2ycbcr.c >@@ -34,6 +34,7 @@ > # include <unistd.h> > #endif > >+#include "tiffiop.h" > #include "tiffio.h" > > #define streq(a,b) (strcmp(a,b) == 0) >@@ -279,13 +280,30 @@ tiffcvt(TIFF* in, TIFF* out) > char *stringv; > uint32 longv; > >+ size_t pixel_count; > TIFFGetField(in, TIFFTAG_IMAGEWIDTH, &width); > TIFFGetField(in, TIFFTAG_IMAGELENGTH, &height); >- raster = (uint32*)_TIFFmalloc(width * height * sizeof (uint32)); >+ pixel_count = width * height; >+ >+ /* XXX: Check the integer overflow. */ >+ if (!width || !height || pixel_count / width != height) { >+ TIFFError(TIFFFileName(in), >+ "Malformed input file; " >+ "can't allocate buffer for raster of %lux%lu size", >+ (unsigned long)width, (unsigned long)height); >+ return 0; >+ } >+ >+ raster = (uint32*)_TIFFCheckMalloc(in, pixel_count, sizeof(uint32), >+ "raster buffer"); > if (raster == 0) { >- TIFFError(TIFFFileName(in), "No space for raster buffer"); >+ TIFFError(TIFFFileName(in), >+ "Requested buffer size is %lu elements %lu each", >+ (unsigned long)pixel_count, >+ (unsigned long)sizeof(uint32)); > return (0); > } >+ > if (!TIFFReadRGBAImage(in, width, height, raster, 0)) { > _TIFFfree(raster); > return (0); >Index: tiff-3.8.2/tools/tiff2rgba.c >=================================================================== >--- tiff-3.8.2.orig/tools/tiff2rgba.c >+++ tiff-3.8.2/tools/tiff2rgba.c >@@ -34,6 +34,7 @@ > # include <unistd.h> > #endif > >+#include "tiffiop.h" > #include "tiffio.h" > > #define streq(a,b) (strcmp(a,b) == 0) >@@ -328,16 +329,27 @@ cvt_whole_image( TIFF *in, TIFF *out ) > uint32* raster; /* retrieve RGBA image */ > uint32 width, height; /* image width & height */ > uint32 row; >+ size_t pixel_count; > > TIFFGetField(in, TIFFTAG_IMAGEWIDTH, &width); > TIFFGetField(in, TIFFTAG_IMAGELENGTH, &height); >+ pixel_count = width * height; >+ >+ /* XXX: Check the integer overflow. */ >+ if (!width || !height || pixel_count / width != height) { >+ TIFFError(TIFFFileName(in), >+ "Malformed input file; can't allocate buffer for raster of %lux%lu size", >+ (unsigned long)width, (unsigned long)height); >+ return 0; >+ } > > rowsperstrip = TIFFDefaultStripSize(out, rowsperstrip); > TIFFSetField(out, TIFFTAG_ROWSPERSTRIP, rowsperstrip); > >- raster = (uint32*)_TIFFmalloc(width * height * sizeof (uint32)); >+ raster = (uint32*)_TIFFCheckMalloc(in, pixel_count, sizeof(uint32), "raster buffer"); > if (raster == 0) { >- TIFFError(TIFFFileName(in), "No space for raster buffer"); >+ TIFFError(TIFFFileName(in), "Requested buffer size is %lu elements %lu each", >+ (unsigned long)pixel_count, (unsigned long)sizeof(uint32)); > return (0); > } > >@@ -353,18 +365,18 @@ cvt_whole_image( TIFF *in, TIFF *out ) > */ > if( no_alpha ) > { >- int pixel_count = width * height; >+ size_t count = pixel_count; > unsigned char *src, *dst; > > src = (unsigned char *) raster; > dst = (unsigned char *) raster; >- while( pixel_count > 0 ) >+ while(count > 0) > { > *(dst++) = *(src++); > *(dst++) = *(src++); > *(dst++) = *(src++); > src++; >- pixel_count--; >+ count--; > } > } >
You cannot view the attachment while viewing its details because your browser does not support IFRAMEs.
View the attachment on a separate page
.
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 276988
:
197131
|
197267
|
197767