Attachment 197131 Details for Bug 276988 – tiff-3.8.2-CVE-2009-2347.patch

[patch] tiff-3.8.2-CVE-2009-2347.patch

tiff-3.8.2-CVE-2009-2347.patch (text/plain), 3.37 KB, created by Robert Buchholz (RETIRED) on 2009-07-07 23:48:42 UTC

(hide)

Description:

Filename:

MIME Type:

Creator: Robert Buchholz (RETIRED)

Created: 2009-07-07 23:48:42 UTC

Size: 3.37 KB

patch

obsolete

>Index: tiff-3.8.2/tools/rgb2ycbcr.c
>===================================================================
>--- tiff-3.8.2.orig/tools/rgb2ycbcr.c
>+++ tiff-3.8.2/tools/rgb2ycbcr.c
>@@ -34,6 +34,7 @@
> # include <unistd.h>
> #endif
> 
>+#include "tiffiop.h"
> #include "tiffio.h"
> 
> #define	streq(a,b)	(strcmp(a,b) == 0)
>@@ -279,13 +280,30 @@ tiffcvt(TIFF* in, TIFF* out)
> 	char *stringv;
> 	uint32 longv;
> 
>+	size_t pixel_count;
> 	TIFFGetField(in, TIFFTAG_IMAGEWIDTH, &width);
> 	TIFFGetField(in, TIFFTAG_IMAGELENGTH, &height);
>-	raster = (uint32*)_TIFFmalloc(width * height * sizeof (uint32));
>+	pixel_count = width * height;
>+
>+	/* XXX: Check the integer overflow. */
>+	if (!width || !height || pixel_count / width != height) {
>+		TIFFError(TIFFFileName(in),
>+			  "Malformed input file; "
>+			  "can't allocate buffer for raster of %lux%lu size",
>+			  (unsigned long)width, (unsigned long)height);
>+		return 0;
>+	}
>+
>+	raster = (uint32*)_TIFFCheckMalloc(in, pixel_count, sizeof(uint32),
>+					   "raster buffer");
> 	if (raster == 0) {
>-		TIFFError(TIFFFileName(in), "No space for raster buffer");
>+		TIFFError(TIFFFileName(in),
>+			  "Requested buffer size is %lu elements %lu each",
>+			  (unsigned long)pixel_count,
>+			  (unsigned long)sizeof(uint32));
> 		return (0);
> 	}
>+
> 	if (!TIFFReadRGBAImage(in, width, height, raster, 0)) {
> 		_TIFFfree(raster);
> 		return (0);
>Index: tiff-3.8.2/tools/tiff2rgba.c
>===================================================================
>--- tiff-3.8.2.orig/tools/tiff2rgba.c
>+++ tiff-3.8.2/tools/tiff2rgba.c
>@@ -34,6 +34,7 @@
> # include <unistd.h>
> #endif
> 
>+#include "tiffiop.h"
> #include "tiffio.h"
> 
> #define	streq(a,b)	(strcmp(a,b) == 0)
>@@ -328,16 +329,27 @@ cvt_whole_image( TIFF *in, TIFF *out )
>     uint32* raster;			/* retrieve RGBA image */
>     uint32  width, height;		/* image width & height */
>     uint32  row;
>+    size_t pixel_count;
>         
>     TIFFGetField(in, TIFFTAG_IMAGEWIDTH, &width);
>     TIFFGetField(in, TIFFTAG_IMAGELENGTH, &height);
>+    pixel_count = width * height;
>+
>+    /* XXX: Check the integer overflow. */
>+    if (!width || !height || pixel_count / width != height) {
>+        TIFFError(TIFFFileName(in),
>+		  "Malformed input file; can't allocate buffer for raster of %lux%lu size",
>+		  (unsigned long)width, (unsigned long)height);
>+        return 0;
>+    }
> 
>     rowsperstrip = TIFFDefaultStripSize(out, rowsperstrip);
>     TIFFSetField(out, TIFFTAG_ROWSPERSTRIP, rowsperstrip);
> 
>-    raster = (uint32*)_TIFFmalloc(width * height * sizeof (uint32));
>+    raster = (uint32*)_TIFFCheckMalloc(in, pixel_count, sizeof(uint32), "raster buffer");
>     if (raster == 0) {
>-        TIFFError(TIFFFileName(in), "No space for raster buffer");
>+        TIFFError(TIFFFileName(in), "Requested buffer size is %lu elements %lu each",
>+		  (unsigned long)pixel_count, (unsigned long)sizeof(uint32));
>         return (0);
>     }
> 
>@@ -353,18 +365,18 @@ cvt_whole_image( TIFF *in, TIFF *out )
>     */
>     if( no_alpha )
>     {
>-        int	pixel_count = width * height;
>+        size_t count = pixel_count;
>         unsigned char *src, *dst;
> 
>         src = (unsigned char *) raster;
>         dst = (unsigned char *) raster;
>-        while( pixel_count > 0 )
>+        while(count > 0)
>         {
>             *(dst++) = *(src++);
>             *(dst++) = *(src++);
>             *(dst++) = *(src++);
>             src++;
>-            pixel_count--;
>+            count--;
>         }
>     }
>

Actions: View | Diff

Attachments on bug 276988: 197131 | 197267 | 197767