OpenSDE
/
package-nopast
3
0
Fork 0
Code Issues 9 Projects 1 Releases Activity
OpenSDE Packages Database (without history before r20070)
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
11827 Commits
49 Branches
0 Tags
34 MiB
Tree: ef17468902
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from 'ef17468902'
${ noResults }
package-nopast/graphic/libtiff/libtiff-4.0.3-0101-CVE-2012...

73 lines
2.5 KiB
Raw Normal View History

libtiff: add security fixes from upstream for CVE-2012-4564, CVE-2012-4447, CVE-2013-1961, CVE-2013-1960
11 years ago
  1. # --- SDE-COPYRIGHT-NOTE-BEGIN ---
  2. # This copyright note is auto-generated by ./scripts/Create-CopyPatch.
  3. #
  4. # Filename: package/.../libtiff/libtiff-4.0.3-0101-CVE-2012-4447.patch
  5. # Copyright (C) 2013 The OpenSDE Project
  6. #
  7. # More information can be found in the files COPYING and README.
  8. #
  9. # This patch file is dual-licensed. It is available under the license the
  10. # patched project is licensed under, as long as it is an OpenSource license
  11. # as defined at http://www.opensource.org/ (e.g. BSD, X11) or under the terms
  12. # of the GNU General Public License as published by the Free Software
  13. # Foundation; either version 2 of the License, or (at your option) any later
  14. # version.
  15. # --- SDE-COPYRIGHT-NOTE-END ---
  17. From ea1f57c13f083528b6b38350aa00c3c0f44a1c9d Mon Sep 17 00:00:00 2001
  18. From: tgl <tgl>
  19. Date: Mon, 10 Dec 2012 17:27:13 +0000
  20. Subject: [PATCH] Detect integer overflow in addition when computing buffer
  21. size.
  23. original ChangeLog entry:
  24. ----------------------------------------------------------------------------
  25. 2012-12-10 Tom Lane <tgl@sss.pgh.pa.us>
  27. * libtiff/tif_pixarlog.c: Improve previous patch for CVE-2012-4447
  28. (to enlarge tbuf for possible partial stride at end) so that
  29. overflow in the integer addition is detected. Per gripe from
  30. Huzaifa Sidhpurwala.
  31. ----------------------------------------------------------------------------
  33. diff --git a/libtiff/tif_pixarlog.c b/libtiff/tif_pixarlog.c
  34. index 572dc7f..ba554e7 100644
  35. --- a/libtiff/tif_pixarlog.c
  36. +++ b/libtiff/tif_pixarlog.c
  37. @@ -644,6 +644,20 @@ multiply_ms(tmsize_t m1, tmsize_t m2)
  38. return bytes;
  39. }
  41. +static tmsize_t
  42. +add_ms(tmsize_t m1, tmsize_t m2)
  43. +{
  44. + tmsize_t bytes = m1 + m2;
  45. +
  46. + /* if either input is zero, assume overflow already occurred */
  47. + if (m1 == 0 || m2 == 0)
  48. + bytes = 0;
  49. + else if (bytes <= m1 || bytes <= m2)
  50. + bytes = 0;
  51. +
  52. + return bytes;
  53. +}
  54. +
  55. static int
  56. PixarLogFixupTags(TIFF* tif)
  57. {
  58. @@ -671,9 +685,11 @@ PixarLogSetupDecode(TIFF* tif)
  59. td->td_samplesperpixel : 1);
  60. tbuf_size = multiply_ms(multiply_ms(multiply_ms(sp->stride, td->td_imagewidth),
  61. td->td_rowsperstrip), sizeof(uint16));
  62. + /* add one more stride in case input ends mid-stride */
  63. + tbuf_size = add_ms(tbuf_size, sizeof(uint16) * sp->stride);
  64. if (tbuf_size == 0)
  65. return (0); /* TODO: this is an error return without error report through TIFFErrorExt */
  66. - sp->tbuf = (uint16 *) _TIFFmalloc(tbuf_size+sizeof(uint16)*sp->stride);
  67. + sp->tbuf = (uint16 *) _TIFFmalloc(tbuf_size);
  68. if (sp->tbuf == NULL)
  69. return (0);
  70. if (sp->user_datafmt == PIXARLOGDATAFMT_UNKNOWN)
  71. --
  72. 1.7.10.2