1
Description: fix TIFFroundup integer overflow (CVE-2010-2065).
2
Author: Bob Friesenhahn <bfriesen@GraphicsMagick.org> and Kees Cook <kees@ubuntu.com>
4
Index: tiff-3.9.2/libtiff/tif_ojpeg.c
5
===================================================================
6
--- tiff-3.9.2.orig/libtiff/tif_ojpeg.c 2010-06-10 12:56:15.218390746 -0700
7
+++ tiff-3.9.2/libtiff/tif_ojpeg.c 2010-06-10 12:57:08.268390489 -0700
9
sp->in_buffer_source=osibsEof;
12
+ if (sp->tif->tif_dir.td_stripoffset == 0) {
13
+ TIFFErrorExt(sp->tif->tif_clientdata,sp->tif->tif_name,"Strip offsets are missing");
16
sp->in_buffer_file_pos=sp->tif->tif_dir.td_stripoffset[sp->in_buffer_next_strile];
17
if (sp->in_buffer_file_pos!=0)
19
Index: tiff-3.9.2/libtiff/tif_read.c
20
===================================================================
21
--- tiff-3.9.2.orig/libtiff/tif_read.c 2010-06-10 12:56:24.098391246 -0700
22
+++ tiff-3.9.2/libtiff/tif_read.c 2010-06-10 12:57:13.248390618 -0700
24
tif->tif_rawdata = (tidata_t) _TIFFmalloc(tif->tif_rawdatasize);
25
tif->tif_flags |= TIFF_MYBUFFER;
27
- if (tif->tif_rawdata == NULL) {
28
+ if ((tif->tif_rawdata == NULL) || (tif->tif_rawdatasize == 0)) {
29
TIFFErrorExt(tif->tif_clientdata, module,
30
"%s: No space for data buffer at scanline %ld",
31
tif->tif_name, (long) tif->tif_row);