summaryrefslogtreecommitdiff
path: root/graphics/tiff/patches/patch-CVE-2018-12900
diff options
context:
space:
mode:
Diffstat (limited to 'graphics/tiff/patches/patch-CVE-2018-12900')
-rw-r--r--graphics/tiff/patches/patch-CVE-2018-1290039
1 files changed, 39 insertions, 0 deletions
diff --git a/graphics/tiff/patches/patch-CVE-2018-12900 b/graphics/tiff/patches/patch-CVE-2018-12900
new file mode 100644
index 00000000000..5e80e395762
--- /dev/null
+++ b/graphics/tiff/patches/patch-CVE-2018-12900
@@ -0,0 +1,39 @@
+$NetBSD: patch-CVE-2018-12900,v 1.1.2.2 2019/07/18 13:32:31 bsiegert Exp $
+
+Fixes CVE-2018-12900
+
+Upstream commit:
+https://gitlab.com/libtiff/libtiff/commit/27124e9148b2056d0e0bf4033b4924d5d2a38d01.patch
+
+--- tools/tiffcp.c.orig 2018-10-13 13:58:55.000000000 +0000
++++ tools/tiffcp.c
+@@ -41,6 +41,7 @@
+ #include <stdio.h>
+ #include <stdlib.h>
+ #include <string.h>
++#include <limits.h>
+
+ #include <ctype.h>
+
+@@ -1408,7 +1409,7 @@ DECLAREreadFunc(readSeparateTilesIntoBuf
+ int status = 1;
+ uint32 imagew = TIFFRasterScanlineSize(in);
+ uint32 tilew = TIFFTileRowSize(in);
+- int iskew = imagew - tilew*spp;
++ int iskew;
+ tsize_t tilesize = TIFFTileSize(in);
+ tdata_t tilebuf;
+ uint8* bufp = (uint8*) buf;
+@@ -1416,6 +1417,12 @@ DECLAREreadFunc(readSeparateTilesIntoBuf
+ uint32 row;
+ uint16 bps = 0, bytes_per_sample;
+
++ if (spp > (INT_MAX / tilew))
++ {
++ TIFFError(TIFFFileName(in), "Error, cannot handle that much samples per tile row (Tile Width * Samples/Pixel)");
++ return 0;
++ }
++ iskew = imagew - tilew*spp;
+ tilebuf = _TIFFmalloc(tilesize);
+ if (tilebuf == 0)
+ return 0;
generated by cgit v1.2.3 (git 2.39.1) at 2024-08-17 10:57:01 +0000