Fix CVE-2016-3945 (integer overflow in size of allocated buffer, when -b mode is enabled, that could result in out-of-bounds write). https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3945 http://bugzilla.maptools.org/show_bug.cgi?id=2545 Patch extracted from upstream CVS repo with: $ cvs diff -u -r1.21 -r1.22 tools/tiff2rgba.c Index: tools/tiff2rgba.c =================================================================== RCS file: /cvs/maptools/cvsroot/libtiff/tools/tiff2rgba.c,v retrieving revision 1.21 retrieving revision 1.22 diff -u -r1.21 -r1.22 --- libtiff/tools/tiff2rgba.c 21 Jun 2015 01:09:10 -0000 1.21 +++ libtiff/tools/tiff2rgba.c 15 Aug 2016 20:06:41 -0000 1.22 @@ -147,6 +147,7 @@ uint32 row, col; uint32 *wrk_line; int ok = 1; + uint32 rastersize, wrk_linesize; TIFFGetField(in, TIFFTAG_IMAGEWIDTH, &width); TIFFGetField(in, TIFFTAG_IMAGELENGTH, &height); @@ -163,7 +164,13 @@ /* * Allocate tile buffer */ - raster = (uint32*)_TIFFmalloc(tile_width * tile_height * sizeof (uint32)); + rastersize = tile_width * tile_height * sizeof (uint32); + if (tile_width != (rastersize / tile_height) / sizeof( uint32)) + { + TIFFError(TIFFFileName(in), "Integer overflow when calculating raster buffer"); + exit(-1); + } + raster = (uint32*)_TIFFmalloc(rastersize); if (raster == 0) { TIFFError(TIFFFileName(in), "No space for raster buffer"); return (0); @@ -173,7 +180,13 @@ * Allocate a scanline buffer for swapping during the vertical * mirroring pass. */ - wrk_line = (uint32*)_TIFFmalloc(tile_width * sizeof (uint32)); + wrk_linesize = tile_width * sizeof (uint32); + if (tile_width != wrk_linesize / sizeof (uint32)) + { + TIFFError(TIFFFileName(in), "Integer overflow when calculating wrk_line buffer"); + exit(-1); + } + wrk_line = (uint32*)_TIFFmalloc(wrk_linesize); if (!wrk_line) { TIFFError(TIFFFileName(in), "No space for raster scanline buffer"); ok = 0; @@ -249,6 +262,7 @@ uint32 row; uint32 *wrk_line; int ok = 1; + uint32 rastersize, wrk_linesize; TIFFGetField(in, TIFFTAG_IMAGEWIDTH, &width); TIFFGetField(in, TIFFTAG_IMAGELENGTH, &height); @@ -263,7 +277,13 @@ /* * Allocate strip buffer */ - raster = (uint32*)_TIFFmalloc(width * rowsperstrip * sizeof (uint32)); + rastersize = width * rowsperstrip * sizeof (uint32); + if (width != (rastersize / rowsperstrip) / sizeof( uint32)) + { + TIFFError(TIFFFileName(in), "Integer overflow when calculating raster buffer"); + exit(-1); + } + raster = (uint32*)_TIFFmalloc(rastersize); if (raster == 0) { TIFFError(TIFFFileName(in), "No space for raster buffer"); return (0); @@ -273,7 +293,13 @@ * Allocate a scanline buffer for swapping during the vertical * mirroring pass. */ - wrk_line = (uint32*)_TIFFmalloc(width * sizeof (uint32)); + wrk_linesize = width * sizeof (uint32); + if (width != wrk_linesize / sizeof (uint32)) + { + TIFFError(TIFFFileName(in), "Integer overflow when calculating wrk_line buffer"); + exit(-1); + } + wrk_line = (uint32*)_TIFFmalloc(wrk_linesize); if (!wrk_line) { TIFFError(TIFFFileName(in), "No space for raster scanline buffer"); ok = 0;