diff options
Diffstat (limited to 'abs/core/libtiff/tiff-3.9.7-CVE-2012-4447.patch')
| -rw-r--r-- | abs/core/libtiff/tiff-3.9.7-CVE-2012-4447.patch | 37 |
1 files changed, 37 insertions, 0 deletions
diff --git a/abs/core/libtiff/tiff-3.9.7-CVE-2012-4447.patch b/abs/core/libtiff/tiff-3.9.7-CVE-2012-4447.patch new file mode 100644 index 0000000..f23e984 --- /dev/null +++ b/abs/core/libtiff/tiff-3.9.7-CVE-2012-4447.patch @@ -0,0 +1,37 @@ +Upstream patch for CVE-2012-4447. This also covers an out-of-bounds-read +possibility in the same file, which wasn't given a separate CVE. + + +diff -Naur tiff-3.9.4.orig/libtiff/tif_pixarlog.c tiff-3.9.4/libtiff/tif_pixarlog.c +--- tiff-3.9.4.orig/libtiff/tif_pixarlog.c 2010-06-08 14:50:42.000000000 -0400 ++++ tiff-3.9.4/libtiff/tif_pixarlog.c 2012-12-10 15:50:14.421538317 -0500 +@@ -641,6 +641,20 @@ + return bytes; + } + ++static tsize_t ++add_ms(tsize_t m1, tsize_t m2) ++{ ++ tsize_t bytes = m1 + m2; ++ ++ /* if either input is zero, assume overflow already occurred */ ++ if (m1 == 0 || m2 == 0) ++ bytes = 0; ++ else if (bytes <= m1 || bytes <= m2) ++ bytes = 0; ++ ++ return bytes; ++} ++ + static int + PixarLogSetupDecode(TIFF* tif) + { +@@ -661,6 +675,8 @@ + td->td_samplesperpixel : 1); + tbuf_size = multiply(multiply(multiply(sp->stride, td->td_imagewidth), + td->td_rowsperstrip), sizeof(uint16)); ++ /* add one more stride in case input ends mid-stride */ ++ tbuf_size = add_ms(tbuf_size, sizeof(uint16) * sp->stride); + if (tbuf_size == 0) + return (0); + sp->tbuf = (uint16 *) _TIFFmalloc(tbuf_size); |