summarylogtreecommitdiffstats
path: root/tiff-3.9.7-CVE-2012-4447.patch
diff options
context:
space:
mode:
Diffstat (limited to 'tiff-3.9.7-CVE-2012-4447.patch')
-rw-r--r--tiff-3.9.7-CVE-2012-4447.patch37
1 files changed, 0 insertions, 37 deletions
diff --git a/tiff-3.9.7-CVE-2012-4447.patch b/tiff-3.9.7-CVE-2012-4447.patch
deleted file mode 100644
index f23e98466f56..000000000000
--- a/tiff-3.9.7-CVE-2012-4447.patch
+++ /dev/null
@@ -1,37 +0,0 @@
-Upstream patch for CVE-2012-4447. This also covers an out-of-bounds-read
-possibility in the same file, which wasn't given a separate CVE.
-
-
-diff -Naur tiff-3.9.4.orig/libtiff/tif_pixarlog.c tiff-3.9.4/libtiff/tif_pixarlog.c
---- tiff-3.9.4.orig/libtiff/tif_pixarlog.c 2010-06-08 14:50:42.000000000 -0400
-+++ tiff-3.9.4/libtiff/tif_pixarlog.c 2012-12-10 15:50:14.421538317 -0500
-@@ -641,6 +641,20 @@
- return bytes;
- }
-
-+static tsize_t
-+add_ms(tsize_t m1, tsize_t m2)
-+{
-+ tsize_t bytes = m1 + m2;
-+
-+ /* if either input is zero, assume overflow already occurred */
-+ if (m1 == 0 || m2 == 0)
-+ bytes = 0;
-+ else if (bytes <= m1 || bytes <= m2)
-+ bytes = 0;
-+
-+ return bytes;
-+}
-+
- static int
- PixarLogSetupDecode(TIFF* tif)
- {
-@@ -661,6 +675,8 @@
- td->td_samplesperpixel : 1);
- tbuf_size = multiply(multiply(multiply(sp->stride, td->td_imagewidth),
- td->td_rowsperstrip), sizeof(uint16));
-+ /* add one more stride in case input ends mid-stride */
-+ tbuf_size = add_ms(tbuf_size, sizeof(uint16) * sp->stride);
- if (tbuf_size == 0)
- return (0);
- sp->tbuf = (uint16 *) _TIFFmalloc(tbuf_size);