Security fix for CVE-2012-4564

libtiff: Missing return value check in ppm2tiff leading to heap-buffer overflow when reading a tiff file

ok naddy@

graphics/tiff/Makefile

@@ -1,10 +1,11 @@
-# $OpenBSD: Makefile,v 1.66 2012/09/24 19:51:03 naddy Exp $
+# $OpenBSD: Makefile,v 1.67 2012/11/06 21:31:06 jasper Exp $
 
 COMMENT=	tools and library routines for working with TIFF images
 
 DISTNAME=	tiff-4.0.3
 SHARED_LIBS=	tiff	39.2	# 7.0
 SHARED_LIBS+=	tiffxx	40.1	# 7.0
+REVISION=	0
 CATEGORIES=	graphics
 
 MASTER_SITES=	http://download.osgeo.org/libtiff/

graphics/tiff/patches/patch-tools_ppm2tiff_c

@@ -0,0 +1,34 @@
+$OpenBSD: patch-tools_ppm2tiff_c,v 1.1 2012/11/06 21:31:06 jasper Exp $
+
+Security fix for CVE-2012-4564
+libtiff: Missing return value check in ppm2tiff leading to heap-buffer overflow when reading a tiff file
+
+--- tools/ppm2tiff.c.orig	Tue Nov  6 11:45:09 2012
++++ tools/ppm2tiff.c	Tue Nov  6 11:46:18 2012
+@@ -89,6 +89,7 @@ main(int argc, char* argv[])
+ 	int c;
+ 	extern int optind;
+ 	extern char* optarg;
++	tmsize_t scanline_size;
+ 
+ 	if (argc < 2) {
+ 	    fprintf(stderr, "%s: Too few arguments\n", argv[0]);
+@@ -237,8 +238,16 @@ main(int argc, char* argv[])
+ 	}
+ 	if (TIFFScanlineSize(out) > linebytes)
+ 		buf = (unsigned char *)_TIFFmalloc(linebytes);
+-	else
+-		buf = (unsigned char *)_TIFFmalloc(TIFFScanlineSize(out));
++	else {
++		scanline_size = TIFFScanlineSize(out);
++		if (scanline_size != 0)
++			buf = (unsigned char *)_TIFFmalloc(TIFFScanlineSize(out));
++		else {
++			fprintf(stderr, "%s: scanline size overflow\n",infile);
++			(void) TIFFClose(out);
++			exit(-2);					
++		}
++	}
+ 	if (resolution > 0) {
+ 		TIFFSetField(out, TIFFTAG_XRESOLUTION, resolution);
+ 		TIFFSetField(out, TIFFTAG_YRESOLUTION, resolution);