From ea6d8ff30c7483d47ecc0eb6be9a67422c1a7009 Mon Sep 17 00:00:00 2001
From: Arie Haenel <arie.haenel@jct.ac.il>
Date: Wed, 19 Jul 2023 19:34:25 +0000
Subject: tiffcp: fix memory corruption (overflow) on hostile images (fixes
#591)
---
tools/tiffcp.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/tools/tiffcp.c b/tools/tiffcp.c
index c6ac5d12..a83700a1 100644
--- a/tools/tiffcp.c
+++ b/tools/tiffcp.c
@@ -1438,6 +1438,11 @@ DECLAREreadFunc(readSeparateTilesIntoBuffer)
TIFFError(TIFFFileName(in), "Error, cannot handle that much samples per tile row (Tile Width * Samples/Pixel)");
return 0;
}
+ if ( (imagew - tilew * spp) > INT_MAX )
+ {
+ TIFFError(TIFFFileName(in), "Error, image raster scan line size is too large");
+ return 0;
+ }
iskew = imagew - tilew*spp;
tilebuf = limitMalloc(tilesize);
if (tilebuf == 0)
--
2.30.2
distrib
>
Mageia
>
8
>
i586
>
media
>
core-updates_testing-src
>
by-pkgid
>
0a4e82cc20594aa76c552ec815a3f474
>
files
>
7
