add patch from Redhat bug #871700 to fix a possible buffer overflow

due to integer overflow in the ppm2tiff cmd line tool (CVE-2012-4564)
bump PKGREV

1 files changed, 33 insertions, 0 deletions

diff --git a/graphics/tiff/patches/patch-CVE-2012-4564 b/graphics/tiff/patches/patch-CVE-2012-4564
new file mode 100644
index 00000000000..fe5a551ac75
--- /dev/null
+++ b/graphics/tiff/patches/patch-CVE-2012-4564
@@ -0,0 +1,33 @@
+$NetBSD: patch-CVE-2012-4564,v 1.1 2012/11/05 12:41:48 drochner Exp $
+
+see https://bugzilla.redhat.com/show_bug.cgi?id=871700
+
+--- tools/ppm2tiff.c.orig	2010-04-10 19:22:34.000000000 +0000
++++ tools/ppm2tiff.c
+@@ -89,6 +89,7 @@ main(int argc, char* argv[])
+ 	int c;
+ 	extern int optind;
+ 	extern char* optarg;
++	tmsize_t scanline_size;
+ 
+ 	if (argc < 2) {
+ 	    fprintf(stderr, "%s: Too few arguments\n", argv[0]);
+@@ -237,8 +238,16 @@ main(int argc, char* argv[])
+ 	}
+ 	if (TIFFScanlineSize(out) > linebytes)
+ 		buf = (unsigned char *)_TIFFmalloc(linebytes);
+-	else
+-		buf = (unsigned char *)_TIFFmalloc(TIFFScanlineSize(out));
++	else {
++		scanline_size = TIFFScanlineSize(out);
++		if (scanline_size != 0)
++			buf = (unsigned char *)_TIFFmalloc(TIFFScanlineSize(out));
++		else {
++			fprintf(stderr, "%s: scanline size overflow\n",infile);
++			(void) TIFFClose(out);
++			exit(-2);
++		}
++	}
+ 	if (resolution > 0) {
+ 		TIFFSetField(out, TIFFTAG_XRESOLUTION, resolution);
+ 		TIFFSetField(out, TIFFTAG_YRESOLUTION, resolution);