Security fix for CVE-2012-4564

libtiff: Missing return value check in ppm2tiff leading to heap-buffer overflow when reading a tiff file ok naddy@
2012-11-06 21:31:06 +00:00 · 2012-11-06 21:31:06 +00:00 · a6f7cc5f4f
commit a6f7cc5f4f
parent 75c4104e44
2 changed files with 36 additions and 1 deletions
--- a/graphics/tiff/Makefile
+++ b/graphics/tiff/Makefile
@ -1,10 +1,11 @@
-# $OpenBSD: Makefile,v 1.66 2012/09/24 19:51:03 naddy Exp $
+# $OpenBSD: Makefile,v 1.67 2012/11/06 21:31:06 jasper Exp $

 COMMENT=	tools and library routines for working with TIFF images

 DISTNAME=	tiff-4.0.3
 SHARED_LIBS=	tiff	39.2	# 7.0
 SHARED_LIBS+=	tiffxx	40.1	# 7.0
+REVISION=	0
 CATEGORIES=	graphics

 MASTER_SITES=	http://download.osgeo.org/libtiff/
--- a/graphics/tiff/patches/patch-tools_ppm2tiff_c
+++ b/graphics/tiff/patches/patch-tools_ppm2tiff_c
@ -0,0 +1,34 @@
+$OpenBSD: patch-tools_ppm2tiff_c,v 1.1 2012/11/06 21:31:06 jasper Exp $
+
+Security fix for CVE-2012-4564
+libtiff: Missing return value check in ppm2tiff leading to heap-buffer overflow when reading a tiff file
+
+--- tools/ppm2tiff.c.orig	Tue Nov  6 11:45:09 2012
+++ tools/ppm2tiff.c	Tue Nov  6 11:46:18 2012
+@@ -89,6 +89,7 @@ main(int argc, char* argv[])
+ 	int c;
+ 	extern int optind;
+ 	extern char* optarg;
+	tmsize_t scanline_size;
+ 
+ 	if (argc < 2) {
+ 	    fprintf(stderr, "%s: Too few arguments\n", argv[0]);
+@@ -237,8 +238,16 @@ main(int argc, char* argv[])
+ 	}
+ 	if (TIFFScanlineSize(out) > linebytes)
+ 		buf = (unsigned char *)_TIFFmalloc(linebytes);
+-	else
+-		buf = (unsigned char *)_TIFFmalloc(TIFFScanlineSize(out));
+	else {
+		scanline_size = TIFFScanlineSize(out);
+		if (scanline_size != 0)
+			buf = (unsigned char *)_TIFFmalloc(TIFFScanlineSize(out));
+		else {
+			fprintf(stderr, "%s: scanline size overflow\n",infile);
+			(void) TIFFClose(out);
+			exit(-2);					
+		}
+	}
+ 	if (resolution > 0) {
+ 		TIFFSetField(out, TIFFTAG_XRESOLUTION, resolution);
+ 		TIFFSetField(out, TIFFTAG_YRESOLUTION, resolution);