95 lines
3.3 KiB
Diff
95 lines
3.3 KiB
Diff
Fix CVE-2016-3945 (integer overflow in size of allocated
|
|
buffer, when -b mode is enabled, that could result in out-of-bounds
|
|
write).
|
|
|
|
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3945
|
|
http://bugzilla.maptools.org/show_bug.cgi?id=2545
|
|
|
|
Patch extracted from upstream CVS repo with:
|
|
$ cvs diff -u -r1.21 -r1.22 tools/tiff2rgba.c
|
|
|
|
Index: tools/tiff2rgba.c
|
|
===================================================================
|
|
RCS file: /cvs/maptools/cvsroot/libtiff/tools/tiff2rgba.c,v
|
|
retrieving revision 1.21
|
|
retrieving revision 1.22
|
|
diff -u -r1.21 -r1.22
|
|
--- libtiff/tools/tiff2rgba.c 21 Jun 2015 01:09:10 -0000 1.21
|
|
+++ libtiff/tools/tiff2rgba.c 15 Aug 2016 20:06:41 -0000 1.22
|
|
@@ -147,6 +147,7 @@
|
|
uint32 row, col;
|
|
uint32 *wrk_line;
|
|
int ok = 1;
|
|
+ uint32 rastersize, wrk_linesize;
|
|
|
|
TIFFGetField(in, TIFFTAG_IMAGEWIDTH, &width);
|
|
TIFFGetField(in, TIFFTAG_IMAGELENGTH, &height);
|
|
@@ -163,7 +164,13 @@
|
|
/*
|
|
* Allocate tile buffer
|
|
*/
|
|
- raster = (uint32*)_TIFFmalloc(tile_width * tile_height * sizeof (uint32));
|
|
+ rastersize = tile_width * tile_height * sizeof (uint32);
|
|
+ if (tile_width != (rastersize / tile_height) / sizeof( uint32))
|
|
+ {
|
|
+ TIFFError(TIFFFileName(in), "Integer overflow when calculating raster buffer");
|
|
+ exit(-1);
|
|
+ }
|
|
+ raster = (uint32*)_TIFFmalloc(rastersize);
|
|
if (raster == 0) {
|
|
TIFFError(TIFFFileName(in), "No space for raster buffer");
|
|
return (0);
|
|
@@ -173,7 +180,13 @@
|
|
* Allocate a scanline buffer for swapping during the vertical
|
|
* mirroring pass.
|
|
*/
|
|
- wrk_line = (uint32*)_TIFFmalloc(tile_width * sizeof (uint32));
|
|
+ wrk_linesize = tile_width * sizeof (uint32);
|
|
+ if (tile_width != wrk_linesize / sizeof (uint32))
|
|
+ {
|
|
+ TIFFError(TIFFFileName(in), "Integer overflow when calculating wrk_line buffer");
|
|
+ exit(-1);
|
|
+ }
|
|
+ wrk_line = (uint32*)_TIFFmalloc(wrk_linesize);
|
|
if (!wrk_line) {
|
|
TIFFError(TIFFFileName(in), "No space for raster scanline buffer");
|
|
ok = 0;
|
|
@@ -249,6 +262,7 @@
|
|
uint32 row;
|
|
uint32 *wrk_line;
|
|
int ok = 1;
|
|
+ uint32 rastersize, wrk_linesize;
|
|
|
|
TIFFGetField(in, TIFFTAG_IMAGEWIDTH, &width);
|
|
TIFFGetField(in, TIFFTAG_IMAGELENGTH, &height);
|
|
@@ -263,7 +277,13 @@
|
|
/*
|
|
* Allocate strip buffer
|
|
*/
|
|
- raster = (uint32*)_TIFFmalloc(width * rowsperstrip * sizeof (uint32));
|
|
+ rastersize = width * rowsperstrip * sizeof (uint32);
|
|
+ if (width != (rastersize / rowsperstrip) / sizeof( uint32))
|
|
+ {
|
|
+ TIFFError(TIFFFileName(in), "Integer overflow when calculating raster buffer");
|
|
+ exit(-1);
|
|
+ }
|
|
+ raster = (uint32*)_TIFFmalloc(rastersize);
|
|
if (raster == 0) {
|
|
TIFFError(TIFFFileName(in), "No space for raster buffer");
|
|
return (0);
|
|
@@ -273,7 +293,13 @@
|
|
* Allocate a scanline buffer for swapping during the vertical
|
|
* mirroring pass.
|
|
*/
|
|
- wrk_line = (uint32*)_TIFFmalloc(width * sizeof (uint32));
|
|
+ wrk_linesize = width * sizeof (uint32);
|
|
+ if (width != wrk_linesize / sizeof (uint32))
|
|
+ {
|
|
+ TIFFError(TIFFFileName(in), "Integer overflow when calculating wrk_line buffer");
|
|
+ exit(-1);
|
|
+ }
|
|
+ wrk_line = (uint32*)_TIFFmalloc(wrk_linesize);
|
|
if (!wrk_line) {
|
|
TIFFError(TIFFFileName(in), "No space for raster scanline buffer");
|
|
ok = 0;
|