libs/tiff/patches/017-CVE-2014-9330.patch

   1 Description: CVE-2014-9330
   2  Integer overflow in bmp2tiff
   3 Origin: upstream, http://bugzilla.maptools.org/show_bug.cgi?id=2494
   4 Bug: http://bugzilla.maptools.org/show_bug.cgi?id=2494
   5 Bug-Debian: http://bugs.debian.org/773987
   6
   7 Index: tiff/tools/bmp2tiff.c
   8 ===================================================================
   9 --- tiff.orig/tools/bmp2tiff.c
  10 +++ tiff/tools/bmp2tiff.c
  11 @@ -1,4 +1,4 @@
  12 -/* $Id: bmp2tiff.c,v 1.23 2010-03-10 18:56:49 bfriesen Exp $
  13 +/* $Id: bmp2tiff.c,v 1.24 2014-12-21 15:15:32 erouault Exp $
  14   *
  15   * Project:  libtiff tools
  16   * Purpose:  Convert Windows BMP files in TIFF.
  17 @@ -403,6 +403,13 @@ main(int argc, char* argv[])
  18
  19                 width = info_hdr.iWidth;
  20                 length = (info_hdr.iHeight > 0) ? info_hdr.iHeight : -info_hdr.iHeight;
  21 +        if( width <= 0 || length <= 0 )
  22 +        {
  23 +            TIFFError(infilename,
  24 +                  "Invalid dimensions of BMP file" );
  25 +            close(fd);
  26 +            return -1;
  27 +        }
  28
  29                 switch (info_hdr.iBitCount)
  30                 {
  31 @@ -593,6 +600,14 @@ main(int argc, char* argv[])
  32
  33                         compr_size = file_hdr.iSize - file_hdr.iOffBits;
  34                         uncompr_size = width * length;
  35 +            /* Detect int overflow */
  36 +            if( uncompr_size / width != length )
  37 +            {
  38 +                TIFFError(infilename,
  39 +                    "Invalid dimensions of BMP file" );
  40 +                close(fd);
  41 +                return -1;
  42 +            }
  43                         comprbuf = (unsigned char *) _TIFFmalloc( compr_size );
  44                         if (!comprbuf) {
  45                                 TIFFError(infilename,