← Back to branch summary

~ubuntu-branches/ubuntu/precise/tiff/precise-security

« back to all changes in this revision

Viewing changes to libtiff/tif_strip.c

  • Committer: Package Import Robot
  • Author(s): Marc Deslauriers
  • Date: 2012-07-04 10:14:32 UTC
  • Revision ID: package-import@ubuntu.com-20120704101432-gn31zon1uiu3tewa
Tags: 3.9.5-2ubuntu1.1
https://launchpad.net/bugs/1016324
https://launchpad.net/bugs/1016324
* SECURITY UPDATE: possible arbitrary code execution via buffer overflow
  due to type-conversion flaw (LP: #1016324)
  - debian/patches/CVE-2012-2088.patch: check for overflows in
    libtiff/tif_strip.c and libtiff/tif_tile.c.
  - CVE-2012-2088
* SECURITY UPDATE: possible arbitrary code execution via integer
  overflows in tiff2pdf (LP: #1016324)
  - debian/patches/CVE-2012-2113.patch: check for overflows in
    tools/tiff2pdf.c.
  - CVE-2012-2113

Show diffs side-by-side

added added

removed removed

Lines of Context:
libtiff/tif_strip.c
107
107
TIFFVStripSize(TIFF* tif, uint32 nrows)
108
108
{
109
109
        TIFFDirectory *td = &tif->tif_dir;
 
110
        uint32 stripsize;
110
111
 
111
112
        if (nrows == (uint32) -1)
112
113
                nrows = td->td_imagelength;
122
123
                 * YCbCr data for the extended image.
123
124
                 */
124
125
                uint16 ycbcrsubsampling[2];
125
 
                tsize_t w, scanline, samplingarea;
 
126
                uint32 w, scanline, samplingarea;
126
127
 
127
128
                TIFFGetFieldDefaulted(tif, TIFFTAG_YCBCRSUBSAMPLING,
128
129
                                      ycbcrsubsampling + 0,
141
142
                nrows = TIFFroundup(nrows, ycbcrsubsampling[1]);
142
143
                /* NB: don't need TIFFhowmany here 'cuz everything is rounded */
143
144
                scanline = multiply(tif, nrows, scanline, "TIFFVStripSize");
144
 
                return ((tsize_t)
145
 
                    summarize(tif, scanline,
146
 
                              multiply(tif, 2, scanline / samplingarea,
147
 
                                       "TIFFVStripSize"), "TIFFVStripSize"));
 
145
                /* a zero anywhere in here means overflow, must return zero */
 
146
                if (scanline > 0) {
 
147
                        uint32 extra =
 
148
                            multiply(tif, 2, scanline / samplingarea,
 
149
                                     "TIFFVStripSize");
 
150
                        if (extra > 0)
 
151
                                stripsize = summarize(tif, scanline, extra,
 
152
                                                      "TIFFVStripSize");
 
153
                        else
 
154
                                stripsize = 0;
 
155
                } else
 
156
                        stripsize = 0;
148
157
        } else
149
 
                return ((tsize_t) multiply(tif, nrows, TIFFScanlineSize(tif),
150
 
                                           "TIFFVStripSize"));
 
158
                stripsize = multiply(tif, nrows, TIFFScanlineSize(tif),
 
159
                                     "TIFFVStripSize");
 
160
        /* Because tsize_t is signed, we might have conversion overflow */
 
161
        if (((tsize_t) stripsize) < 0) {
 
162
                TIFFErrorExt(tif->tif_clientdata, tif->tif_name, "Integer overflow in %s", "TIFFVStripSize");
 
163
                stripsize = 0;
 
164
        }
 
165
        return (tsize_t) stripsize;
151
166
}
152
167
 
153
168