~ubuntu-branches/ubuntu/natty/tiff/natty

Description: fix TIFFroundup integer overflow (CVE-2010-2065).

Author: Bob Friesenhahn <bfriesen@GraphicsMagick.org> and Kees Cook <kees@ubuntu.com>

 

Index: tiff-3.9.2/libtiff/tif_ojpeg.c

===================================================================

--- tiff-3.9.2.orig/libtiff/tif_ojpeg.c 2010-06-10 12:56:15.218390746 -0700

+++ tiff-3.9.2/libtiff/tif_ojpeg.c      2010-06-10 12:57:08.268390489 -0700

@@ -1909,6 +1909,10 @@

                                        sp->in_buffer_source=osibsEof;

                                else

                                {

+                                       if (sp->tif->tif_dir.td_stripoffset == 0) {

+                                               TIFFErrorExt(sp->tif->tif_clientdata,sp->tif->tif_name,"Strip offsets are missing");

+                                               return(0);

+                                       }

                                        sp->in_buffer_file_pos=sp->tif->tif_dir.td_stripoffset[sp->in_buffer_next_strile];  

                                        if (sp->in_buffer_file_pos!=0)

                                        {

Index: tiff-3.9.2/libtiff/tif_read.c

===================================================================

--- tiff-3.9.2.orig/libtiff/tif_read.c  2010-06-10 12:56:24.098391246 -0700

+++ tiff-3.9.2/libtiff/tif_read.c       2010-06-10 12:57:13.248390618 -0700

@@ -609,7 +609,7 @@

                tif->tif_rawdata = (tidata_t) _TIFFmalloc(tif->tif_rawdatasize);

                tif->tif_flags |= TIFF_MYBUFFER;

        }

-       if (tif->tif_rawdata == NULL) {

+       if ((tif->tif_rawdata == NULL) || (tif->tif_rawdatasize == 0)) {

                TIFFErrorExt(tif->tif_clientdata, module,

                    "%s: No space for data buffer at scanline %ld",

                    tif->tif_name, (long) tif->tif_row);