[packages] tiff: fix another buffer overflow
[openwrt/svn-archive/archive.git] / libs / tiff / patches / 904-cve-2009-2347.patch
1 http://cve.mitre.org/cgi-bin/cvename.cgi?name=2009-2347
2
3 --- a/tools/rgb2ycbcr.c
4 +++ b/tools/rgb2ycbcr.c
5 @@ -202,6 +202,17 @@ cvtClump(unsigned char* op, uint32* rast
6 #undef LumaBlue
7 #undef V2Code
8
9 +static tsize_t
10 +multiply(tsize_t m1, tsize_t m2)
11 +{
12 + tsize_t prod = m1 * m2;
13 +
14 + if (m1 && prod / m1 != m2)
15 + prod = 0; /* overflow */
16 +
17 + return prod;
18 +}
19 +
20 /*
21 * Convert a strip of RGB data to YCbCr and
22 * sample to generate the output data.
23 @@ -278,10 +289,19 @@ tiffcvt(TIFF* in, TIFF* out)
24 float floatv;
25 char *stringv;
26 uint32 longv;
27 + tsize_t raster_size;
28
29 TIFFGetField(in, TIFFTAG_IMAGEWIDTH, &width);
30 TIFFGetField(in, TIFFTAG_IMAGELENGTH, &height);
31 - raster = (uint32*)_TIFFmalloc(width * height * sizeof (uint32));
32 +
33 + raster_size = multiply(multiply(width, height), sizeof (uint32));
34 + if (!raster_size) {
35 + TIFFError(TIFFFileName(in),
36 + "Can't allocate buffer for raster of size %lux%lu",
37 + (unsigned long) width, (unsigned long) height);
38 + return (0);
39 + }
40 + raster = (uint32*)_TIFFmalloc(raster_size);
41 if (raster == 0) {
42 TIFFError(TIFFFileName(in), "No space for raster buffer");
43 return (0);
44 --- a/tools/tiff2rgba.c
45 +++ b/tools/tiff2rgba.c
46 @@ -124,6 +124,17 @@ main(int argc, char* argv[])
47 return (0);
48 }
49
50 +static tsize_t
51 +multiply(tsize_t m1, tsize_t m2)
52 +{
53 + tsize_t prod = m1 * m2;
54 +
55 + if (m1 && prod / m1 != m2)
56 + prod = 0; /* overflow */
57 +
58 + return prod;
59 +}
60 +
61 static int
62 cvt_by_tile( TIFF *in, TIFF *out )
63
64 @@ -133,6 +144,7 @@ cvt_by_tile( TIFF *in, TIFF *out )
65 uint32 tile_width, tile_height;
66 uint32 row, col;
67 uint32 *wrk_line;
68 + tsize_t raster_size;
69 int ok = 1;
70
71 TIFFGetField(in, TIFFTAG_IMAGEWIDTH, &width);
72 @@ -150,7 +162,14 @@ cvt_by_tile( TIFF *in, TIFF *out )
73 /*
74 * Allocate tile buffer
75 */
76 - raster = (uint32*)_TIFFmalloc(tile_width * tile_height * sizeof (uint32));
77 + raster_size = multiply(multiply(tile_width, tile_height), sizeof (uint32));
78 + if (!raster_size) {
79 + TIFFError(TIFFFileName(in),
80 + "Can't allocate buffer for raster of size %lux%lu",
81 + (unsigned long) tile_width, (unsigned long) tile_height);
82 + return (0);
83 + }
84 + raster = (uint32*)_TIFFmalloc(raster_size);
85 if (raster == 0) {
86 TIFFError(TIFFFileName(in), "No space for raster buffer");
87 return (0);
88 @@ -158,7 +177,7 @@ cvt_by_tile( TIFF *in, TIFF *out )
89
90 /*
91 * Allocate a scanline buffer for swapping during the vertical
92 - * mirroring pass.
93 + * mirroring pass. (Request can't overflow given prior checks.)
94 */
95 wrk_line = (uint32*)_TIFFmalloc(tile_width * sizeof (uint32));
96 if (!wrk_line) {
97 @@ -226,6 +245,7 @@ cvt_by_strip( TIFF *in, TIFF *out )
98 uint32 width, height; /* image width & height */
99 uint32 row;
100 uint32 *wrk_line;
101 + tsize_t raster_size;
102 int ok = 1;
103
104 TIFFGetField(in, TIFFTAG_IMAGEWIDTH, &width);
105 @@ -241,7 +261,14 @@ cvt_by_strip( TIFF *in, TIFF *out )
106 /*
107 * Allocate strip buffer
108 */
109 - raster = (uint32*)_TIFFmalloc(width * rowsperstrip * sizeof (uint32));
110 + raster_size = multiply(multiply(width, rowsperstrip), sizeof (uint32));
111 + if (!raster_size) {
112 + TIFFError(TIFFFileName(in),
113 + "Can't allocate buffer for raster of size %lux%lu",
114 + (unsigned long) width, (unsigned long) rowsperstrip);
115 + return (0);
116 + }
117 + raster = (uint32*)_TIFFmalloc(raster_size);
118 if (raster == 0) {
119 TIFFError(TIFFFileName(in), "No space for raster buffer");
120 return (0);
121 @@ -249,7 +276,7 @@ cvt_by_strip( TIFF *in, TIFF *out )
122
123 /*
124 * Allocate a scanline buffer for swapping during the vertical
125 - * mirroring pass.
126 + * mirroring pass. (Request can't overflow given prior checks.)
127 */
128 wrk_line = (uint32*)_TIFFmalloc(width * sizeof (uint32));
129 if (!wrk_line) {
130 @@ -328,14 +355,22 @@ cvt_whole_image( TIFF *in, TIFF *out )
131 uint32* raster; /* retrieve RGBA image */
132 uint32 width, height; /* image width & height */
133 uint32 row;
134 -
135 + tsize_t raster_size;
136 +
137 TIFFGetField(in, TIFFTAG_IMAGEWIDTH, &width);
138 TIFFGetField(in, TIFFTAG_IMAGELENGTH, &height);
139
140 rowsperstrip = TIFFDefaultStripSize(out, rowsperstrip);
141 TIFFSetField(out, TIFFTAG_ROWSPERSTRIP, rowsperstrip);
142
143 - raster = (uint32*)_TIFFmalloc(width * height * sizeof (uint32));
144 + raster_size = multiply(multiply(width, height), sizeof (uint32));
145 + if (!raster_size) {
146 + TIFFError(TIFFFileName(in),
147 + "Can't allocate buffer for raster of size %lux%lu",
148 + (unsigned long) width, (unsigned long) height);
149 + return (0);
150 + }
151 + raster = (uint32*)_TIFFmalloc(raster_size);
152 if (raster == 0) {
153 TIFFError(TIFFFileName(in), "No space for raster buffer");
154 return (0);
155 @@ -353,7 +388,7 @@ cvt_whole_image( TIFF *in, TIFF *out )
156 */
157 if( no_alpha )
158 {
159 - int pixel_count = width * height;
160 + tsize_t pixel_count = (tsize_t) width * (tsize_t) height;
161 unsigned char *src, *dst;
162
163 src = (unsigned char *) raster;