diff options
Diffstat (limited to 'media-libs/tiff/files/tiff-3.9.7-CVE-2012-4564.patch')
| -rw-r--r-- | media-libs/tiff/files/tiff-3.9.7-CVE-2012-4564.patch | 77 |
1 files changed, 0 insertions, 77 deletions
diff --git a/media-libs/tiff/files/tiff-3.9.7-CVE-2012-4564.patch b/media-libs/tiff/files/tiff-3.9.7-CVE-2012-4564.patch deleted file mode 100644 index 98a6e6c4409d..000000000000 --- a/media-libs/tiff/files/tiff-3.9.7-CVE-2012-4564.patch +++ /dev/null @@ -1,77 +0,0 @@ -Upstream patch for CVE-2012-4564. - - -diff -Naur tiff-3.9.4.orig/tools/ppm2tiff.c tiff-3.9.4/tools/ppm2tiff.c ---- tiff-3.9.4.orig/tools/ppm2tiff.c 2010-06-08 14:50:44.000000000 -0400 -+++ tiff-3.9.4/tools/ppm2tiff.c 2012-12-10 16:16:05.154045877 -0500 -@@ -68,6 +68,17 @@ - exit(-2); - } - -+static tsize_t -+multiply_ms(tsize_t m1, tsize_t m2) -+{ -+ tsize_t bytes = m1 * m2; -+ -+ if (m1 && bytes / m1 != m2) -+ bytes = 0; -+ -+ return bytes; -+} -+ - int - main(int argc, char* argv[]) - { -@@ -85,6 +96,7 @@ - int c; - extern int optind; - extern char* optarg; -+ tsize_t scanline_size; - - if (argc < 2) { - fprintf(stderr, "%s: Too few arguments\n", argv[0]); -@@ -217,7 +229,8 @@ - } - switch (bpp) { - case 1: -- linebytes = (spp * w + (8 - 1)) / 8; -+ /* if round-up overflows, result will be zero, OK */ -+ linebytes = (multiply_ms(spp, w) + (8 - 1)) / 8; - if (rowsperstrip == (uint32) -1) { - TIFFSetField(out, TIFFTAG_ROWSPERSTRIP, h); - } else { -@@ -226,15 +239,31 @@ - } - break; - case 8: -- linebytes = spp * w; -+ linebytes = multiply_ms(spp, w); - TIFFSetField(out, TIFFTAG_ROWSPERSTRIP, - TIFFDefaultStripSize(out, rowsperstrip)); - break; - } -- if (TIFFScanlineSize(out) > linebytes) -+ if (linebytes == 0) { -+ fprintf(stderr, "%s: scanline size overflow\n", infile); -+ (void) TIFFClose(out); -+ exit(-2); -+ } -+ scanline_size = TIFFScanlineSize(out); -+ if (scanline_size == 0) { -+ /* overflow - TIFFScanlineSize already printed a message */ -+ (void) TIFFClose(out); -+ exit(-2); -+ } -+ if (scanline_size < linebytes) - buf = (unsigned char *)_TIFFmalloc(linebytes); - else -- buf = (unsigned char *)_TIFFmalloc(TIFFScanlineSize(out)); -+ buf = (unsigned char *)_TIFFmalloc(scanline_size); -+ if (buf == NULL) { -+ fprintf(stderr, "%s: Not enough memory\n", infile); -+ (void) TIFFClose(out); -+ exit(-2); -+ } - if (resolution > 0) { - TIFFSetField(out, TIFFTAG_XRESOLUTION, resolution); - TIFFSetField(out, TIFFTAG_YRESOLUTION, resolution); |