Upstream patch for bug #601274 (CVE-2010-2065) diff -Naur tiff-3.8.2.orig/libtiff/tif_read.c tiff-3.8.2/libtiff/tif_read.c --- tiff-3.8.2.orig/libtiff/tif_read.c 2005-12-21 07:33:56.000000000 -0500 +++ tiff-3.8.2/libtiff/tif_read.c 2010-06-13 16:04:13.000000000 -0400 @@ -525,16 +525,18 @@ _TIFFfree(tif->tif_rawdata); tif->tif_rawdata = NULL; } + if (bp) { tif->tif_rawdatasize = size; tif->tif_rawdata = (tidata_t) bp; tif->tif_flags &= ~TIFF_MYBUFFER; } else { tif->tif_rawdatasize = TIFFroundup(size, 1024); - tif->tif_rawdata = (tidata_t) _TIFFmalloc(tif->tif_rawdatasize); + if (tif->tif_rawdatasize > 0) + tif->tif_rawdata = (tidata_t) _TIFFmalloc(tif->tif_rawdatasize); tif->tif_flags |= TIFF_MYBUFFER; } - if (tif->tif_rawdata == NULL) { + if ((tif->tif_rawdata == NULL) || (tif->tif_rawdatasize == 0)) { TIFFErrorExt(tif->tif_clientdata, module, "%s: No space for data buffer at scanline %ld", tif->tif_name, (long) tif->tif_row);