diff options
Diffstat (limited to 'tiff-3.9.7-CVE-2012-4447.patch')
-rw-r--r-- | tiff-3.9.7-CVE-2012-4447.patch | 37 |
1 files changed, 0 insertions, 37 deletions
diff --git a/tiff-3.9.7-CVE-2012-4447.patch b/tiff-3.9.7-CVE-2012-4447.patch deleted file mode 100644 index f23e98466f56..000000000000 --- a/tiff-3.9.7-CVE-2012-4447.patch +++ /dev/null @@ -1,37 +0,0 @@ -Upstream patch for CVE-2012-4447. This also covers an out-of-bounds-read -possibility in the same file, which wasn't given a separate CVE. - - -diff -Naur tiff-3.9.4.orig/libtiff/tif_pixarlog.c tiff-3.9.4/libtiff/tif_pixarlog.c ---- tiff-3.9.4.orig/libtiff/tif_pixarlog.c 2010-06-08 14:50:42.000000000 -0400 -+++ tiff-3.9.4/libtiff/tif_pixarlog.c 2012-12-10 15:50:14.421538317 -0500 -@@ -641,6 +641,20 @@ - return bytes; - } - -+static tsize_t -+add_ms(tsize_t m1, tsize_t m2) -+{ -+ tsize_t bytes = m1 + m2; -+ -+ /* if either input is zero, assume overflow already occurred */ -+ if (m1 == 0 || m2 == 0) -+ bytes = 0; -+ else if (bytes <= m1 || bytes <= m2) -+ bytes = 0; -+ -+ return bytes; -+} -+ - static int - PixarLogSetupDecode(TIFF* tif) - { -@@ -661,6 +675,8 @@ - td->td_samplesperpixel : 1); - tbuf_size = multiply(multiply(multiply(sp->stride, td->td_imagewidth), - td->td_rowsperstrip), sizeof(uint16)); -+ /* add one more stride in case input ends mid-stride */ -+ tbuf_size = add_ms(tbuf_size, sizeof(uint16) * sp->stride); - if (tbuf_size == 0) - return (0); - sp->tbuf = (uint16 *) _TIFFmalloc(tbuf_size); |