Description: fix denial of service and possible code execution via crafted PPM image Origin: backport, ppm2tiff.c,v 1.17 Index: tiff-3.9.5/tools/ppm2tiff.c =================================================================== --- tiff-3.9.5.orig/tools/ppm2tiff.c 2012-11-14 11:38:04.607867919 -0500 +++ tiff-3.9.5/tools/ppm2tiff.c 2012-11-14 11:38:17.603868253 -0500 @@ -85,6 +85,7 @@ int c; extern int optind; extern char* optarg; + tsize_t scanline_size; if (argc < 2) { fprintf(stderr, "%s: Too few arguments\n", argv[0]); @@ -233,8 +234,16 @@ } if (TIFFScanlineSize(out) > linebytes) buf = (unsigned char *)_TIFFmalloc(linebytes); - else - buf = (unsigned char *)_TIFFmalloc(TIFFScanlineSize(out)); + else { + scanline_size = TIFFScanlineSize(out); + if (scanline_size != 0) + buf = (unsigned char *)_TIFFmalloc(TIFFScanlineSize(out)); + else { + fprintf(stderr, "%s: scanline size overflow\n",infile); + (void) TIFFClose(out); + exit(-2); + } + } if (resolution > 0) { TIFFSetField(out, TIFFTAG_XRESOLUTION, resolution); TIFFSetField(out, TIFFTAG_YRESOLUTION, resolution);