summaryrefslogtreecommitdiffstats
path: root/abs/core/libtiff/tiff-3.9.7-CVE-2012-4447.patch
diff options
context:
space:
mode:
authorBritney Fransen <brfransen@gmail.com>2015-02-19 18:16:16 (GMT)
committerBritney Fransen <brfransen@gmail.com>2015-02-19 18:16:16 (GMT)
commit8de064f6e96f960cdbfe6868d9957a4613f704df (patch)
tree4e73a420991733450d013529c0fee60e0365297a /abs/core/libtiff/tiff-3.9.7-CVE-2012-4447.patch
parent0374b16f1e15ba1819b62bd5a6e0076ac7b243d0 (diff)
parent6fde8cd5e74f0840e01988e743464fe91c0a28f8 (diff)
downloadlinhes_pkgbuild-8de064f6e96f960cdbfe6868d9957a4613f704df.zip
linhes_pkgbuild-8de064f6e96f960cdbfe6868d9957a4613f704df.tar.gz
linhes_pkgbuild-8de064f6e96f960cdbfe6868d9957a4613f704df.tar.bz2
Merge branch 'testing'
Diffstat (limited to 'abs/core/libtiff/tiff-3.9.7-CVE-2012-4447.patch')
-rw-r--r--abs/core/libtiff/tiff-3.9.7-CVE-2012-4447.patch37
1 files changed, 37 insertions, 0 deletions
diff --git a/abs/core/libtiff/tiff-3.9.7-CVE-2012-4447.patch b/abs/core/libtiff/tiff-3.9.7-CVE-2012-4447.patch
new file mode 100644
index 0000000..f23e984
--- /dev/null
+++ b/abs/core/libtiff/tiff-3.9.7-CVE-2012-4447.patch
@@ -0,0 +1,37 @@
+Upstream patch for CVE-2012-4447. This also covers an out-of-bounds-read
+possibility in the same file, which wasn't given a separate CVE.
+
+
+diff -Naur tiff-3.9.4.orig/libtiff/tif_pixarlog.c tiff-3.9.4/libtiff/tif_pixarlog.c
+--- tiff-3.9.4.orig/libtiff/tif_pixarlog.c 2010-06-08 14:50:42.000000000 -0400
++++ tiff-3.9.4/libtiff/tif_pixarlog.c 2012-12-10 15:50:14.421538317 -0500
+@@ -641,6 +641,20 @@
+ return bytes;
+ }
+
++static tsize_t
++add_ms(tsize_t m1, tsize_t m2)
++{
++ tsize_t bytes = m1 + m2;
++
++ /* if either input is zero, assume overflow already occurred */
++ if (m1 == 0 || m2 == 0)
++ bytes = 0;
++ else if (bytes <= m1 || bytes <= m2)
++ bytes = 0;
++
++ return bytes;
++}
++
+ static int
+ PixarLogSetupDecode(TIFF* tif)
+ {
+@@ -661,6 +675,8 @@
+ td->td_samplesperpixel : 1);
+ tbuf_size = multiply(multiply(multiply(sp->stride, td->td_imagewidth),
+ td->td_rowsperstrip), sizeof(uint16));
++ /* add one more stride in case input ends mid-stride */
++ tbuf_size = add_ms(tbuf_size, sizeof(uint16) * sp->stride);
+ if (tbuf_size == 0)
+ return (0);
+ sp->tbuf = (uint16 *) _TIFFmalloc(tbuf_size);