diff options
author | Bob Friesenhahn <bfriesen@simple.dallas.tx.us> | 2010-06-12 02:55:16 +0000 |
---|---|---|
committer | Bob Friesenhahn <bfriesen@simple.dallas.tx.us> | 2010-06-12 02:55:16 +0000 |
commit | 9fe360cc7328bfb4be58950846fe45f210fe3359 (patch) | |
tree | 4870d80817dc6a27a0a7f0e321874c2e755b8114 | |
parent | 49730635ab74196554a673e857d2894e44ebb42c (diff) | |
download | libtiff-git-9fe360cc7328bfb4be58950846fe45f210fe3359.tar.gz |
* tools/tiff2rgba.c: Applied portion of patch (from Tom Lane)
which was left out in order to fully resolve "CVE-2009-2347
libtiff: integer overflows in various inter-color space conversion
tools". http://bugzilla.maptools.org/show_bug.cgi?id=2079
* libtiff/tiffiop.h (TIFFSafeMultiply): Need more castings to
avoid compiler warnings if parameter types are not sign
consistent.
-rw-r--r-- | ChangeLog | 9 | ||||
-rw-r--r-- | libtiff/tiffiop.h | 4 | ||||
-rw-r--r-- | tools/tiff2rgba.c | 28 |
3 files changed, 34 insertions, 7 deletions
@@ -1,5 +1,14 @@ 2010-06-11 Bob Friesenhahn <bfriesen@simple.dallas.tx.us> + * tools/tiff2rgba.c: Applied portion of patch (from Tom Lane) + which was left out in order to fully resolve "CVE-2009-2347 + libtiff: integer overflows in various inter-color space conversion + tools". http://bugzilla.maptools.org/show_bug.cgi?id=2079 + + * libtiff/tiffiop.h (TIFFSafeMultiply): Need more castings to + avoid compiler warnings if parameter types are not sign + consistent. + * tools/tiffcrop.c: Applied patch from Richard Nolde: Corrected European page size dimensions. Added an option to allow the user to specify a custom page size on the command line. Fix the case diff --git a/libtiff/tiffiop.h b/libtiff/tiffiop.h index 1883507b..a064039f 100644 --- a/libtiff/tiffiop.h +++ b/libtiff/tiffiop.h @@ -1,4 +1,4 @@ -/* $Id: tiffiop.h,v 1.51.2.5 2010-06-10 22:52:45 bfriesen Exp $ */ +/* $Id: tiffiop.h,v 1.51.2.6 2010-06-12 02:55:16 bfriesen Exp $ */ /* * Copyright (c) 1988-1997 Sam Leffler @@ -243,7 +243,7 @@ struct tiff { #define TIFFroundup(x, y) (TIFFhowmany(x,y)*(y)) /* Safe multiply which returns zero if there is an integer overflow */ -#define TIFFSafeMultiply(t,v,m) ((((t)m != (t)0) && (((t)v*m)/(t)m == (t)v)) ? (t)v*m : (t)0) +#define TIFFSafeMultiply(t,v,m) ((((t)m != (t)0) && (((t)((v*m)/m)) == (t)v)) ? (t)(v*m) : (t)0) #define TIFFmax(A,B) ((A)>(B)?(A):(B)) #define TIFFmin(A,B) ((A)<(B)?(A):(B)) diff --git a/tools/tiff2rgba.c b/tools/tiff2rgba.c index db060edc..9ba2877f 100644 --- a/tools/tiff2rgba.c +++ b/tools/tiff2rgba.c @@ -1,4 +1,4 @@ -/* $Id: tiff2rgba.c,v 1.13.2.2 2010-06-08 18:50:44 bfriesen Exp $ */ +/* $Id: tiff2rgba.c,v 1.13.2.3 2010-06-12 02:55:16 bfriesen Exp $ */ /* * Copyright (c) 1991-1997 Sam Leffler @@ -125,6 +125,8 @@ main(int argc, char* argv[]) return (0); } +#define multiply(a,b) TIFFSafeMultiply(tsize_t,a,b) + static int cvt_by_tile( TIFF *in, TIFF *out ) @@ -134,6 +136,7 @@ cvt_by_tile( TIFF *in, TIFF *out ) uint32 tile_width, tile_height; uint32 row, col; uint32 *wrk_line; + tsize_t raster_size; int ok = 1; TIFFGetField(in, TIFFTAG_IMAGEWIDTH, &width); @@ -151,7 +154,14 @@ cvt_by_tile( TIFF *in, TIFF *out ) /* * Allocate tile buffer */ - raster = (uint32*)_TIFFmalloc(tile_width * tile_height * sizeof (uint32)); + raster_size = multiply(multiply(tile_width, tile_height), sizeof (uint32)); + if (!raster_size) { + TIFFError(TIFFFileName(in), + "Can't allocate buffer for raster of size %lux%lu", + (unsigned long) tile_width, (unsigned long) tile_height); + return (0); + } + raster = (uint32*)_TIFFmalloc(raster_size); if (raster == 0) { TIFFError(TIFFFileName(in), "No space for raster buffer"); return (0); @@ -159,7 +169,7 @@ cvt_by_tile( TIFF *in, TIFF *out ) /* * Allocate a scanline buffer for swapping during the vertical - * mirroring pass. + * mirroring pass. (Request can't overflow given prior checks.) */ wrk_line = (uint32*)_TIFFmalloc(tile_width * sizeof (uint32)); if (!wrk_line) { @@ -236,6 +246,7 @@ cvt_by_strip( TIFF *in, TIFF *out ) uint32 width, height; /* image width & height */ uint32 row; uint32 *wrk_line; + tsize_t raster_size; int ok = 1; TIFFGetField(in, TIFFTAG_IMAGEWIDTH, &width); @@ -251,7 +262,14 @@ cvt_by_strip( TIFF *in, TIFF *out ) /* * Allocate strip buffer */ - raster = (uint32*)_TIFFmalloc(width * rowsperstrip * sizeof (uint32)); + raster_size = multiply(multiply(width, rowsperstrip), sizeof (uint32)); + if (!raster_size) { + TIFFError(TIFFFileName(in), + "Can't allocate buffer for raster of size %lux%lu", + (unsigned long) width, (unsigned long) rowsperstrip); + return (0); + } + raster = (uint32*)_TIFFmalloc(raster_size); if (raster == 0) { TIFFError(TIFFFileName(in), "No space for raster buffer"); return (0); @@ -259,7 +277,7 @@ cvt_by_strip( TIFF *in, TIFF *out ) /* * Allocate a scanline buffer for swapping during the vertical - * mirroring pass. + * mirroring pass. (Request can't overflow given prior checks.) */ wrk_line = (uint32*)_TIFFmalloc(width * sizeof (uint32)); if (!wrk_line) { |