1 Description: CVE-2014-9330
2 Integer overflow in bmp2tiff
3 Origin: upstream, http://bugzilla.maptools.org/show_bug.cgi?id=2494
4 Bug: http://bugzilla.maptools.org/show_bug.cgi?id=2494
5 Bug-Debian: http://bugs.debian.org/773987
7 Index: tiff/tools/bmp2tiff.c
8 ===================================================================
9 --- tiff.orig/tools/bmp2tiff.c
10 +++ tiff/tools/bmp2tiff.c
12 -/* $Id: bmp2tiff.c,v 1.23 2010-03-10 18:56:49 bfriesen Exp $
13 +/* $Id: bmp2tiff.c,v 1.24 2014-12-21 15:15:32 erouault Exp $
15 * Project: libtiff tools
16 * Purpose: Convert Windows BMP files in TIFF.
17 @@ -403,6 +403,13 @@ main(int argc, char* argv[])
19 width = info_hdr.iWidth;
20 length = (info_hdr.iHeight > 0) ? info_hdr.iHeight : -info_hdr.iHeight;
21 + if( width <= 0 || length <= 0 )
23 + TIFFError(infilename,
24 + "Invalid dimensions of BMP file" );
29 switch (info_hdr.iBitCount)
31 @@ -593,6 +600,14 @@ main(int argc, char* argv[])
33 compr_size = file_hdr.iSize - file_hdr.iOffBits;
34 uncompr_size = width * length;
35 + /* Detect int overflow */
36 + if( uncompr_size / width != length )
38 + TIFFError(infilename,
39 + "Invalid dimensions of BMP file" );
43 comprbuf = (unsigned char *) _TIFFmalloc( compr_size );