* tools/tiff2rgba.c: Applied portion of patch (from Tom Lane)

which was left out in order to fully resolve "CVE-2009-2347 libtiff: integer overflows in various inter-color space conversion tools". http://bugzilla.maptools.org/show_bug.cgi?id=2079 * libtiff/tiffiop.h (TIFFSafeMultiply): Need more castings to avoid compiler warnings if parameter types are not sign consistent.
author: Bob Friesenhahn <bfriesen@simple.dallas.tx.us> 2010-06-12 02:55:16 +0000
committer: Bob Friesenhahn <bfriesen@simple.dallas.tx.us> 2010-06-12 02:55:16 +0000
commit: 9fe360cc7328bfb4be58950846fe45f210fe3359 (patch)
tree: 4870d80817dc6a27a0a7f0e321874c2e755b8114
parent: 49730635ab74196554a673e857d2894e44ebb42c (diff)
download: libtiff-git-9fe360cc7328bfb4be58950846fe45f210fe3359.tar.gz
3 files changed, 34 insertions, 7 deletions
diff --git a/ChangeLog b/ChangeLog
index 620b84e8..809be972 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,5 +1,14 @@
 2010-06-11  Bob Friesenhahn  <bfriesen@simple.dallas.tx.us>
 
+	* tools/tiff2rgba.c: Applied portion of patch (from Tom Lane)
+	which was left out in order to fully resolve "CVE-2009-2347
+	libtiff: integer overflows in various inter-color space conversion
+	tools". http://bugzilla.maptools.org/show_bug.cgi?id=2079
+
+	* libtiff/tiffiop.h (TIFFSafeMultiply): Need more castings to
+	avoid compiler warnings if parameter types are not sign
+	consistent.
+
 	* tools/tiffcrop.c: Applied patch from Richard Nolde: Corrected
 	European page size dimensions.  Added an option to allow the user
 	to specify a custom page size on the command line.  Fix the case
diff --git a/libtiff/tiffiop.h b/libtiff/tiffiop.h
index 1883507b..a064039f 100644
--- a/libtiff/tiffiop.h
+++ b/libtiff/tiffiop.h
@@ -1,4 +1,4 @@
-/* $Id: tiffiop.h,v 1.51.2.5 2010-06-10 22:52:45 bfriesen Exp $ */
+/* $Id: tiffiop.h,v 1.51.2.6 2010-06-12 02:55:16 bfriesen Exp $ */
 
 /*
  * Copyright (c) 1988-1997 Sam Leffler
@@ -243,7 +243,7 @@ struct tiff {
 #define	TIFFroundup(x, y) (TIFFhowmany(x,y)*(y))
 
 /* Safe multiply which returns zero if there is an integer overflow */
-#define TIFFSafeMultiply(t,v,m) ((((t)m != (t)0) && (((t)v*m)/(t)m == (t)v)) ? (t)v*m : (t)0)
+#define TIFFSafeMultiply(t,v,m) ((((t)m != (t)0) && (((t)((v*m)/m)) == (t)v)) ? (t)(v*m) : (t)0)
 
 #define TIFFmax(A,B) ((A)>(B)?(A):(B))
 #define TIFFmin(A,B) ((A)<(B)?(A):(B))
diff --git a/tools/tiff2rgba.c b/tools/tiff2rgba.c
index db060edc..9ba2877f 100644
--- a/tools/tiff2rgba.c
+++ b/tools/tiff2rgba.c
@@ -1,4 +1,4 @@
-/* $Id: tiff2rgba.c,v 1.13.2.2 2010-06-08 18:50:44 bfriesen Exp $ */
+/* $Id: tiff2rgba.c,v 1.13.2.3 2010-06-12 02:55:16 bfriesen Exp $ */
 
 /*
  * Copyright (c) 1991-1997 Sam Leffler
@@ -125,6 +125,8 @@ main(int argc, char* argv[])
     return (0);
 }
 
+#define multiply(a,b) TIFFSafeMultiply(tsize_t,a,b)
+
 static int
 cvt_by_tile( TIFF *in, TIFF *out )
 
@@ -134,6 +136,7 @@ cvt_by_tile( TIFF *in, TIFF *out )
     uint32  tile_width, tile_height;
     uint32  row, col;
     uint32  *wrk_line;
+    tsize_t raster_size;
     int	    ok = 1;
 
     TIFFGetField(in, TIFFTAG_IMAGEWIDTH, &width);
@@ -151,7 +154,14 @@ cvt_by_tile( TIFF *in, TIFF *out )
     /*
      * Allocate tile buffer
      */
-    raster = (uint32*)_TIFFmalloc(tile_width * tile_height * sizeof (uint32));
+    raster_size = multiply(multiply(tile_width, tile_height), sizeof (uint32));
+    if (!raster_size) {
+	TIFFError(TIFFFileName(in),
+		  "Can't allocate buffer for raster of size %lux%lu",
+		  (unsigned long) tile_width, (unsigned long) tile_height);
+	return (0);
+    }
+    raster = (uint32*)_TIFFmalloc(raster_size);
     if (raster == 0) {
         TIFFError(TIFFFileName(in), "No space for raster buffer");
         return (0);
@@ -159,7 +169,7 @@ cvt_by_tile( TIFF *in, TIFF *out )
 
     /*
      * Allocate a scanline buffer for swapping during the vertical
-     * mirroring pass.
+     * mirroring pass.  (Request can't overflow given prior checks.)
      */
     wrk_line = (uint32*)_TIFFmalloc(tile_width * sizeof (uint32));
     if (!wrk_line) {
@@ -236,6 +246,7 @@ cvt_by_strip( TIFF *in, TIFF *out )
     uint32  width, height;		/* image width & height */
     uint32  row;
     uint32  *wrk_line;
+    tsize_t raster_size;
     int	    ok = 1;
 
     TIFFGetField(in, TIFFTAG_IMAGEWIDTH, &width);
@@ -251,7 +262,14 @@ cvt_by_strip( TIFF *in, TIFF *out )
     /*
      * Allocate strip buffer
      */
-    raster = (uint32*)_TIFFmalloc(width * rowsperstrip * sizeof (uint32));
+    raster_size = multiply(multiply(width, rowsperstrip), sizeof (uint32));
+    if (!raster_size) {
+	TIFFError(TIFFFileName(in),
+		  "Can't allocate buffer for raster of size %lux%lu",
+		  (unsigned long) width, (unsigned long) rowsperstrip);
+	return (0);
+    }
+    raster = (uint32*)_TIFFmalloc(raster_size);
     if (raster == 0) {
         TIFFError(TIFFFileName(in), "No space for raster buffer");
         return (0);
@@ -259,7 +277,7 @@ cvt_by_strip( TIFF *in, TIFF *out )
 
     /*
      * Allocate a scanline buffer for swapping during the vertical
-     * mirroring pass.
+     * mirroring pass.  (Request can't overflow given prior checks.)
      */
     wrk_line = (uint32*)_TIFFmalloc(width * sizeof (uint32));
     if (!wrk_line) {
author	Bob Friesenhahn <bfriesen@simple.dallas.tx.us>	2010-06-12 02:55:16 +0000
committer	Bob Friesenhahn <bfriesen@simple.dallas.tx.us>	2010-06-12 02:55:16 +0000
commit	9fe360cc7328bfb4be58950846fe45f210fe3359 (patch)
tree	4870d80817dc6a27a0a7f0e321874c2e755b8114
parent	49730635ab74196554a673e857d2894e44ebb42c (diff)
download	libtiff-git-9fe360cc7328bfb4be58950846fe45f210fe3359.tar.gz