diff options
| author | tgl <tgl> | 2012-12-10 18:27:35 +0000 |
|---|---|---|
| committer | tgl <tgl> | 2012-12-10 18:27:35 +0000 |
| commit | eafda1e5f233c8e39e26d966d83532ba130b4abd (patch) | |
| tree | 8e551aa9555980fbb363f53641ff480d59549596 | |
| parent | 4775cf9a7335b7496b16bb41f47587216e22982c (diff) | |
| download | libtiff-eafda1e5f233c8e39e26d966d83532ba130b4abd.tar.gz | |
Back-patch fix for CVE-2012-4564
| -rw-r--r-- | ChangeLog | 4 | ||||
| -rw-r--r-- | tools/ppm2tiff.c | 39 |
2 files changed, 38 insertions, 5 deletions
@@ -1,5 +1,9 @@ 2012-12-10 Tom Lane <tgl@sss.pgh.pa.us> + * tools/ppm2tiff.c: Back-patch fix for CVE-2012-4564. + +2012-12-10 Tom Lane <tgl@sss.pgh.pa.us> + * libtiff/tif_pixarlog.c: Back-patch recent security fixes for tif_pixarlog.c, namely the fix for CVE-2012-4447 and protections against accessing outside the lookup arrays for out of range diff --git a/tools/ppm2tiff.c b/tools/ppm2tiff.c index 6078459f..ec8be5d4 100644 --- a/tools/ppm2tiff.c +++ b/tools/ppm2tiff.c @@ -1,4 +1,4 @@ -/* $Id: ppm2tiff.c,v 1.13.2.2 2010-06-08 18:50:44 bfriesen Exp $ */ +/* $Id: ppm2tiff.c,v 1.13.2.3 2012-12-10 18:27:35 tgl Exp $ */ /* * Copyright (c) 1991-1997 Sam Leffler @@ -68,6 +68,17 @@ BadPPM(char* file) exit(-2); } +static tsize_t +multiply_ms(tsize_t m1, tsize_t m2) +{ + tsize_t bytes = m1 * m2; + + if (m1 && bytes / m1 != m2) + bytes = 0; + + return bytes; +} + int main(int argc, char* argv[]) { @@ -85,6 +96,7 @@ main(int argc, char* argv[]) int c; extern int optind; extern char* optarg; + tsize_t scanline_size; if (argc < 2) { fprintf(stderr, "%s: Too few arguments\n", argv[0]); @@ -217,7 +229,8 @@ main(int argc, char* argv[]) } switch (bpp) { case 1: - linebytes = (spp * w + (8 - 1)) / 8; + /* if round-up overflows, result will be zero, OK */ + linebytes = (multiply_ms(spp, w) + (8 - 1)) / 8; if (rowsperstrip == (uint32) -1) { TIFFSetField(out, TIFFTAG_ROWSPERSTRIP, h); } else { @@ -226,15 +239,31 @@ main(int argc, char* argv[]) } break; case 8: - linebytes = spp * w; + linebytes = multiply_ms(spp, w); TIFFSetField(out, TIFFTAG_ROWSPERSTRIP, TIFFDefaultStripSize(out, rowsperstrip)); break; } - if (TIFFScanlineSize(out) > linebytes) + if (linebytes == 0) { + fprintf(stderr, "%s: scanline size overflow\n", infile); + (void) TIFFClose(out); + exit(-2); + } + scanline_size = TIFFScanlineSize(out); + if (scanline_size == 0) { + /* overflow - TIFFScanlineSize already printed a message */ + (void) TIFFClose(out); + exit(-2); + } + if (scanline_size < linebytes) buf = (unsigned char *)_TIFFmalloc(linebytes); else - buf = (unsigned char *)_TIFFmalloc(TIFFScanlineSize(out)); + buf = (unsigned char *)_TIFFmalloc(scanline_size); + if (buf == NULL) { + fprintf(stderr, "%s: Not enough memory\n", infile); + (void) TIFFClose(out); + exit(-2); + } if (resolution > 0) { TIFFSetField(out, TIFFTAG_XRESOLUTION, resolution); TIFFSetField(out, TIFFTAG_YRESOLUTION, resolution); |