3
From 147b2698c84004fe2da93c0fc7177a7c3797533d Mon Sep 17 00:00:00 2001
4
From: erouault <erouault>
5
Date: Mon, 2 Mar 2015 16:16:38 +0000
6
Subject: [PATCH] * tools/tiffdither.c: check memory allocations to avoid
7
writing to NULL pointer. Also check multiplication overflow. Fixes #2501,
8
CVE-2014-8128. Derived from patch by Petr Gajdos.
12
tools/tiffdither.c | 21 ++++++++++++++++-----
13
2 files changed, 22 insertions(+), 5 deletions(-)
15
Index: tiff-3.9.5/tools/tiffdither.c
16
===================================================================
17
--- tiff-3.9.5.orig/tools/tiffdither.c 2015-03-30 08:29:12.635045306 -0400
18
+++ tiff-3.9.5/tools/tiffdither.c 2015-03-30 08:29:38.667271319 -0400
25
#define streq(a,b) (strcmp(a,b) == 0)
26
#define strneq(a,b,n) (strncmp(a,b,n) == 0)
28
* Floyd-Steinberg error propragation with threshold.
29
* This code is stolen from tiffmedian.
33
fsdither(TIFF* in, TIFF* out)
35
unsigned char *outline, *inputline, *inptr;
37
int lastline, lastpixel;
42
imax = imagelength - 1;
43
jmax = imagewidth - 1;
44
inputline = (unsigned char *)_TIFFmalloc(TIFFScanlineSize(in));
45
- thisline = (short *)_TIFFmalloc(imagewidth * sizeof (short));
46
- nextline = (short *)_TIFFmalloc(imagewidth * sizeof (short));
47
+ thisline = (short *)_TIFFmalloc(TIFFSafeMultiply(tsize_t, imagewidth, sizeof (short)));
48
+ nextline = (short *)_TIFFmalloc(TIFFSafeMultiply(tsize_t, imagewidth, sizeof (short)));
49
outlinesize = TIFFScanlineSize(out);
50
outline = (unsigned char *) _TIFFmalloc(outlinesize);
51
+ if (! (inputline && thisline && nextline && outline)) {
52
+ fprintf(stderr, "Out of memory.\n");
59
if (TIFFReadScanline(in, inputline, 0, 0) <= 0)
65
for (j = 0; j < imagewidth; ++j)
68
lastline = (i == imax);
69
if (TIFFReadScanline(in, inputline, i, 0) <= 0)
74
for (j = 0; j < imagewidth; ++j)
78
if (TIFFWriteScanline(out, outline, i-1, 0) < 0)
94
static uint16 compression = COMPRESSION_PACKBITS;