Sophie

Sophie

distrib > Mandriva > 2009.1 > x86_64 > by-pkgid > 1d68596e2a82b14e65301e6b0567f47c > files > 4

libtiff-3.8.2-13.2mdv2009.1.src.rpm

Upstream patch for bug #592361  (CVE-2010-1411)


diff -Naur tiff-3.8.2.orig/libtiff/tif_fax3.c tiff-3.8.2/libtiff/tif_fax3.c
--- tiff-3.8.2.orig/libtiff/tif_fax3.c	2006-03-21 11:42:50.000000000 -0500
+++ tiff-3.8.2/libtiff/tif_fax3.c	2010-06-13 15:54:49.000000000 -0400
@@ -491,10 +491,26 @@
 	    td->td_compression == COMPRESSION_CCITTFAX4
 	);
 
-	nruns = needsRefLine ? 2*TIFFroundup(rowpixels,32) : rowpixels;
-
-	dsp->runs = (uint32*) _TIFFCheckMalloc(tif, 2*nruns+3, sizeof (uint32),
-					  "for Group 3/4 run arrays");
+	/*
+	  Assure that allocation computations do not overflow.
+  
+	  TIFFroundup and TIFFSafeMultiply return zero on integer overflow
+	*/
+	dsp->runs=(uint32*) NULL;
+	nruns = TIFFroundup(rowpixels,32);
+	if (needsRefLine) {
+		nruns = TIFFSafeMultiply(uint32,nruns,2);
+	}
+	if ((nruns == 0) || (TIFFSafeMultiply(uint32,nruns,2) == 0)) {
+		TIFFErrorExt(tif->tif_clientdata, tif->tif_name,
+			     "Row pixels integer overflow (rowpixels %u)",
+			     rowpixels);
+		return (0);
+	}
+	dsp->runs = (uint32*) _TIFFCheckMalloc(tif,
+					       TIFFSafeMultiply(uint32,nruns,2),
+					       sizeof (uint32),
+					       "for Group 3/4 run arrays");
 	if (dsp->runs == NULL)
 		return (0);
 	dsp->curruns = dsp->runs;
diff -Naur tiff-3.8.2.orig/libtiff/tiffiop.h tiff-3.8.2/libtiff/tiffiop.h
--- tiff-3.8.2.orig/libtiff/tiffiop.h	2006-03-21 11:42:50.000000000 -0500
+++ tiff-3.8.2/libtiff/tiffiop.h	2010-06-13 15:52:46.000000000 -0400
@@ -222,10 +222,15 @@
 #endif
 
 /* NB: the uint32 casts are to silence certain ANSI-C compilers */
-#define TIFFhowmany(x, y) ((((uint32)(x))+(((uint32)(y))-1))/((uint32)(y)))
+#define TIFFhowmany(x, y) (((uint32)x < (0xffffffff - (uint32)(y-1))) ?	\
+			   ((((uint32)(x))+(((uint32)(y))-1))/((uint32)(y))) : \
+			   0U)
 #define TIFFhowmany8(x) (((x)&0x07)?((uint32)(x)>>3)+1:(uint32)(x)>>3)
 #define	TIFFroundup(x, y) (TIFFhowmany(x,y)*(y))
 
+/* Safe multiply which returns zero if there is an integer overflow */
+#define TIFFSafeMultiply(t,v,m) ((((t)m != (t)0) && (((t)((v*m)/m)) == (t)v)) ? (t)(v*m) : (t)0)
+
 #define TIFFmax(A,B) ((A)>(B)?(A):(B))
 #define TIFFmin(A,B) ((A)<(B)?(A):(B))

Perl :: Catalyst :: PostgreSQL :: RPM Valid HTML 4.01 Transitional