diff options
author | erouault <erouault> | 2015-03-02 16:16:38 +0000 |
---|---|---|
committer | erouault <erouault> | 2015-03-02 16:16:38 +0000 |
commit | 8a4c24600ef3fafcf6e13f18e8ceedc070d048bc (patch) | |
tree | 28baf57948abce8af1e2213033fa34b5c5270454 /tools | |
parent | b88d5c136c100f916cff9d6766cff7453283b06c (diff) | |
download | libtiff-8a4c24600ef3fafcf6e13f18e8ceedc070d048bc.tar.gz |
* tools/tiffdither.c: check memory allocations to avoid writing to
NULL pointer. Also check multiplication overflow. Fixes #2501,
CVE-2014-8128. Derived from patch by Petr Gajdos.
Diffstat (limited to 'tools')
-rw-r--r-- | tools/tiffdither.c | 23 |
1 files changed, 17 insertions, 6 deletions
diff --git a/tools/tiffdither.c b/tools/tiffdither.c index 43089461..f6182dbe 100644 --- a/tools/tiffdither.c +++ b/tools/tiffdither.c @@ -1,4 +1,4 @@ -/* $Id: tiffdither.c,v 1.14 2013-05-02 14:44:29 tgl Exp $ */ +/* $Id: tiffdither.c,v 1.15 2015-03-02 16:16:38 erouault Exp $ */ /* * Copyright (c) 1988-1997 Sam Leffler @@ -39,6 +39,7 @@ #endif #include "tiffio.h" +#include "tiffiop.h" #define streq(a,b) (strcmp(a,b) == 0) #define strneq(a,b,n) (strncmp(a,b,n) == 0) @@ -56,7 +57,7 @@ static void usage(void); * Floyd-Steinberg error propragation with threshold. * This code is stolen from tiffmedian. */ -static void +static int fsdither(TIFF* in, TIFF* out) { unsigned char *outline, *inputline, *inptr; @@ -68,14 +69,19 @@ fsdither(TIFF* in, TIFF* out) int lastline, lastpixel; int bit; tsize_t outlinesize; + int errcode = 0; imax = imagelength - 1; jmax = imagewidth - 1; inputline = (unsigned char *)_TIFFmalloc(TIFFScanlineSize(in)); - thisline = (short *)_TIFFmalloc(imagewidth * sizeof (short)); - nextline = (short *)_TIFFmalloc(imagewidth * sizeof (short)); + thisline = (short *)_TIFFmalloc(TIFFSafeMultiply(tmsize_t, imagewidth, sizeof (short))); + nextline = (short *)_TIFFmalloc(TIFFSafeMultiply(tmsize_t, imagewidth, sizeof (short))); outlinesize = TIFFScanlineSize(out); outline = (unsigned char *) _TIFFmalloc(outlinesize); + if (! (inputline && thisline && nextline && outline)) { + fprintf(stderr, "Out of memory.\n"); + goto skip_on_error; + } /* * Get first line @@ -93,7 +99,7 @@ fsdither(TIFF* in, TIFF* out) nextline = tmpptr; lastline = (i == imax); if (TIFFReadScanline(in, inputline, i, 0) <= 0) - break; + goto skip_on_error; inptr = inputline; nextptr = nextline; for (j = 0; j < imagewidth; ++j) @@ -131,13 +137,18 @@ fsdither(TIFF* in, TIFF* out) } } if (TIFFWriteScanline(out, outline, i-1, 0) < 0) - break; + goto skip_on_error; } + goto exit_label; + skip_on_error: + errcode = 1; + exit_label: _TIFFfree(inputline); _TIFFfree(thisline); _TIFFfree(nextline); _TIFFfree(outline); + return errcode; } static uint16 compression = COMPRESSION_PACKBITS; |