1
Description: fix integer overflow in use of TIFFroundup (CVE-2010-1411)
2
Author: Tomas Hoger <thoger@redhat.com>
1
Description: fix integer overflows, introduce TIFFSafeMultiply
2
Origin: backported from libtiff 3.9.4
4
Index: tiff-3.8.2/libtiff/tif_fax3.c
5
===================================================================
6
--- tiff-3.8.2.orig/libtiff/tif_fax3.c 2010-06-10 18:09:58.779641597 -0700
7
+++ tiff-3.8.2/libtiff/tif_fax3.c 2010-06-10 18:11:50.949640612 -0700
4
diff -Naur tiff-3.8.2.ori/libtiff/tif_fax3.c tiff-3.8.2/libtiff/tif_fax3.c
5
--- tiff-3.8.2.ori/libtiff/tif_fax3.c 2012-04-02 11:57:19.010090410 -0400
6
+++ tiff-3.8.2/libtiff/tif_fax3.c 2012-04-02 12:01:32.918087990 -0400
9
8
td->td_compression == COMPRESSION_CCITTFAX4
12
11
- nruns = needsRefLine ? 2*TIFFroundup(rowpixels,32) : rowpixels;
13
+ Assure that allocation computations do not overflow.
15
+ TIFFroundup and TIFFSafeMultiply return zero on integer overflow
17
+ dsp->runs=(uint32*) NULL;
18
+ nruns = TIFFroundup(rowpixels,32);
13
19
+ if (needsRefLine) {
14
+ /* integer overflow check */
15
+ if ((uint32)rowpixels > 0xffffffff - 32 || TIFFroundup(rowpixels,32) > 0xffffffff / 2)
17
+ nruns = 2*TIFFroundup(rowpixels,32);
20
+ /* integer overflow check */
21
+ if (nruns > (0xffffffff - 3) / 2)
20
+ nruns = TIFFSafeMultiply(uint32,nruns,2);
22
+ if ((nruns == 0) || (TIFFSafeMultiply(uint32,nruns,2) == 0)) {
23
+ TIFFErrorExt(tif->tif_clientdata, tif->tif_name,
24
+ "Row pixels integer overflow (rowpixels %u)",
24
dsp->runs = (uint32*) _TIFFCheckMalloc(tif, 2*nruns+3, sizeof (uint32),
25
"for Group 3/4 run arrays");
28
+ dsp->runs = (uint32*) _TIFFCheckMalloc(tif,
29
+ TIFFSafeMultiply(uint32,nruns,2),
31
+ "for Group 3/4 run arrays");
33
- dsp->runs = (uint32*) _TIFFCheckMalloc(tif, 2*nruns+3, sizeof (uint32),
34
- "for Group 3/4 run arrays");
35
if (dsp->runs == NULL)
37
dsp->curruns = dsp->runs;
38
diff -Naur tiff-3.8.2.ori/libtiff/tiffiop.h tiff-3.8.2/libtiff/tiffiop.h
39
--- tiff-3.8.2.ori/libtiff/tiffiop.h 2006-03-21 11:42:50.000000000 -0500
40
+++ tiff-3.8.2/libtiff/tiffiop.h 2012-04-02 11:58:04.838089974 -0400
44
/* NB: the uint32 casts are to silence certain ANSI-C compilers */
45
-#define TIFFhowmany(x, y) ((((uint32)(x))+(((uint32)(y))-1))/((uint32)(y)))
46
+#define TIFFhowmany(x, y) (((uint32)x < (0xffffffff - (uint32)(y-1))) ? \
47
+ ((((uint32)(x))+(((uint32)(y))-1))/((uint32)(y))) : \
49
#define TIFFhowmany8(x) (((x)&0x07)?((uint32)(x)>>3)+1:(uint32)(x)>>3)
50
#define TIFFroundup(x, y) (TIFFhowmany(x,y)*(y))
52
+/* Safe multiply which returns zero if there is an integer overflow */
53
+#define TIFFSafeMultiply(t,v,m) ((((t)m != (t)0) && (((t)((v*m)/m)) == (t)v)) ? (t)(v*m) : (t)0)
55
#define TIFFmax(A,B) ((A)>(B)?(A):(B))
56
#define TIFFmin(A,B) ((A)<(B)?(A):(B))