a6f7cc5f4f
libtiff: Missing return value check in ppm2tiff leading to heap-buffer overflow when reading a tiff file ok naddy@
35 lines
1.1 KiB
Plaintext
35 lines
1.1 KiB
Plaintext
$OpenBSD: patch-tools_ppm2tiff_c,v 1.1 2012/11/06 21:31:06 jasper Exp $
|
|
|
|
Security fix for CVE-2012-4564
|
|
libtiff: Missing return value check in ppm2tiff leading to heap-buffer overflow when reading a tiff file
|
|
|
|
--- tools/ppm2tiff.c.orig Tue Nov 6 11:45:09 2012
|
|
+++ tools/ppm2tiff.c Tue Nov 6 11:46:18 2012
|
|
@@ -89,6 +89,7 @@ main(int argc, char* argv[])
|
|
int c;
|
|
extern int optind;
|
|
extern char* optarg;
|
|
+ tmsize_t scanline_size;
|
|
|
|
if (argc < 2) {
|
|
fprintf(stderr, "%s: Too few arguments\n", argv[0]);
|
|
@@ -237,8 +238,16 @@ main(int argc, char* argv[])
|
|
}
|
|
if (TIFFScanlineSize(out) > linebytes)
|
|
buf = (unsigned char *)_TIFFmalloc(linebytes);
|
|
- else
|
|
- buf = (unsigned char *)_TIFFmalloc(TIFFScanlineSize(out));
|
|
+ else {
|
|
+ scanline_size = TIFFScanlineSize(out);
|
|
+ if (scanline_size != 0)
|
|
+ buf = (unsigned char *)_TIFFmalloc(TIFFScanlineSize(out));
|
|
+ else {
|
|
+ fprintf(stderr, "%s: scanline size overflow\n",infile);
|
|
+ (void) TIFFClose(out);
|
|
+ exit(-2);
|
|
+ }
|
|
+ }
|
|
if (resolution > 0) {
|
|
TIFFSetField(out, TIFFTAG_XRESOLUTION, resolution);
|
|
TIFFSetField(out, TIFFTAG_YRESOLUTION, resolution);
|