From eafda1e5f233c8e39e26d966d83532ba130b4abd Mon Sep 17 00:00:00 2001 From: tgl Date: Mon, 10 Dec 2012 18:27:35 +0000 Subject: Back-patch fix for CVE-2012-4564 --- ChangeLog | 4 ++++ tools/ppm2tiff.c | 39 ++++++++++++++++++++++++++++++++++----- 2 files changed, 38 insertions(+), 5 deletions(-) diff --git a/ChangeLog b/ChangeLog index 6d6d2d19..6e2d47cf 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,7 @@ +2012-12-10 Tom Lane + + * tools/ppm2tiff.c: Back-patch fix for CVE-2012-4564. + 2012-12-10 Tom Lane * libtiff/tif_pixarlog.c: Back-patch recent security fixes for diff --git a/tools/ppm2tiff.c b/tools/ppm2tiff.c index 6078459f..ec8be5d4 100644 --- a/tools/ppm2tiff.c +++ b/tools/ppm2tiff.c @@ -1,4 +1,4 @@ -/* $Id: ppm2tiff.c,v 1.13.2.2 2010-06-08 18:50:44 bfriesen Exp $ */ +/* $Id: ppm2tiff.c,v 1.13.2.3 2012-12-10 18:27:35 tgl Exp $ */ /* * Copyright (c) 1991-1997 Sam Leffler @@ -68,6 +68,17 @@ BadPPM(char* file) exit(-2); } +static tsize_t +multiply_ms(tsize_t m1, tsize_t m2) +{ + tsize_t bytes = m1 * m2; + + if (m1 && bytes / m1 != m2) + bytes = 0; + + return bytes; +} + int main(int argc, char* argv[]) { @@ -85,6 +96,7 @@ main(int argc, char* argv[]) int c; extern int optind; extern char* optarg; + tsize_t scanline_size; if (argc < 2) { fprintf(stderr, "%s: Too few arguments\n", argv[0]); @@ -217,7 +229,8 @@ main(int argc, char* argv[]) } switch (bpp) { case 1: - linebytes = (spp * w + (8 - 1)) / 8; + /* if round-up overflows, result will be zero, OK */ + linebytes = (multiply_ms(spp, w) + (8 - 1)) / 8; if (rowsperstrip == (uint32) -1) { TIFFSetField(out, TIFFTAG_ROWSPERSTRIP, h); } else { @@ -226,15 +239,31 @@ main(int argc, char* argv[]) } break; case 8: - linebytes = spp * w; + linebytes = multiply_ms(spp, w); TIFFSetField(out, TIFFTAG_ROWSPERSTRIP, TIFFDefaultStripSize(out, rowsperstrip)); break; } - if (TIFFScanlineSize(out) > linebytes) + if (linebytes == 0) { + fprintf(stderr, "%s: scanline size overflow\n", infile); + (void) TIFFClose(out); + exit(-2); + } + scanline_size = TIFFScanlineSize(out); + if (scanline_size == 0) { + /* overflow - TIFFScanlineSize already printed a message */ + (void) TIFFClose(out); + exit(-2); + } + if (scanline_size < linebytes) buf = (unsigned char *)_TIFFmalloc(linebytes); else - buf = (unsigned char *)_TIFFmalloc(TIFFScanlineSize(out)); + buf = (unsigned char *)_TIFFmalloc(scanline_size); + if (buf == NULL) { + fprintf(stderr, "%s: Not enough memory\n", infile); + (void) TIFFClose(out); + exit(-2); + } if (resolution > 0) { TIFFSetField(out, TIFFTAG_XRESOLUTION, resolution); TIFFSetField(out, TIFFTAG_YRESOLUTION, resolution); -- cgit v1.2.1