← Back to branch summary

~ubuntu-branches/ubuntu/precise/tiff/precise-security

« back to all changes in this revision

Viewing changes to debian/patches/CVE-2014-81xx-11.patch

  • Committer: Package Import Robot
  • Author(s): Marc Deslauriers
  • Date: 2015-03-30 08:11:18 UTC
  • Revision ID: package-import@ubuntu.com-20150330081118-bvaoaii1act27voq
Tags: 3.9.5-2ubuntu1.7
* SECURITY UPDATE: Fix multiple security issues
  - debian/patches/CVE-2014-81xx-1.patch to CVE-2014-81xx-11.patch
  - debian/patches/CVE-2014-8128-5.patch
  - debian/patches/CVE-2014-9655-1.patch to CVE-2014-9655-3.patch
  - debian/patches/read_overrun.patch
  - debian/patches/CVE-2014-8130.patch
  - CVE-2014-8127 (partially)
  - CVE-2014-8128
  - CVE-2014-8129
  - CVE-2014-8130
  - CVE-2014-9330
  - CVE-2014-9655

Show diffs side-by-side

added added

removed removed

Lines of Context:
debian/patches/CVE-2014-81xx-11.patch
 
1
Backport of:
 
2
 
 
3
From 147b2698c84004fe2da93c0fc7177a7c3797533d Mon Sep 17 00:00:00 2001
 
4
From: erouault <erouault>
 
5
Date: Mon, 2 Mar 2015 16:16:38 +0000
 
6
Subject: [PATCH] * tools/tiffdither.c: check memory allocations to avoid
 
7
 writing to NULL pointer. Also check multiplication overflow. Fixes #2501,
 
8
 CVE-2014-8128. Derived from patch by Petr Gajdos.
 
9
 
 
10
---
 
11
 ChangeLog          |  6 ++++++
 
12
 tools/tiffdither.c | 21 ++++++++++++++++-----
 
13
 2 files changed, 22 insertions(+), 5 deletions(-)
 
14
 
 
15
Index: tiff-3.9.5/tools/tiffdither.c
 
16
===================================================================
 
17
--- tiff-3.9.5.orig/tools/tiffdither.c  2015-03-30 08:29:12.635045306 -0400
 
18
+++ tiff-3.9.5/tools/tiffdither.c       2015-03-30 08:29:38.667271319 -0400
 
19
@@ -35,6 +35,7 @@
 
20
 #endif
 
21
 
 
22
 #include "tiffio.h"
 
23
+#include "tiffiop.h"
 
24
 
 
25
 #define        streq(a,b)      (strcmp(a,b) == 0)
 
26
 #define        strneq(a,b,n)   (strncmp(a,b,n) == 0)
 
27
@@ -52,7 +53,7 @@
 
28
  * Floyd-Steinberg error propragation with threshold.
 
29
  * This code is stolen from tiffmedian.
 
30
  */
 
31
-static void
 
32
+static int
 
33
 fsdither(TIFF* in, TIFF* out)
 
34
 {
 
35
        unsigned char *outline, *inputline, *inptr;
 
36
@@ -64,20 +65,26 @@
 
37
        int lastline, lastpixel;
 
38
        int bit;
 
39
        tsize_t outlinesize;
 
40
+       int errcode = 0;
 
41
 
 
42
        imax = imagelength - 1;
 
43
        jmax = imagewidth - 1;
 
44
        inputline = (unsigned char *)_TIFFmalloc(TIFFScanlineSize(in));
 
45
-       thisline = (short *)_TIFFmalloc(imagewidth * sizeof (short));
 
46
-       nextline = (short *)_TIFFmalloc(imagewidth * sizeof (short));
 
47
+       thisline = (short *)_TIFFmalloc(TIFFSafeMultiply(tsize_t, imagewidth, sizeof (short)));
 
48
+       nextline = (short *)_TIFFmalloc(TIFFSafeMultiply(tsize_t, imagewidth, sizeof (short)));
 
49
        outlinesize = TIFFScanlineSize(out);
 
50
        outline = (unsigned char *) _TIFFmalloc(outlinesize);
 
51
+       if (! (inputline && thisline && nextline && outline)) {
 
52
+           fprintf(stderr, "Out of memory.\n");
 
53
+           goto skip_on_error;
 
54
+       }
 
55
 
 
56
        /*
 
57
         * Get first line
 
58
         */
 
59
        if (TIFFReadScanline(in, inputline, 0, 0) <= 0)
 
60
-               return;
 
61
+            goto skip_on_error;
 
62
+
 
63
        inptr = inputline;
 
64
        nextptr = nextline;
 
65
        for (j = 0; j < imagewidth; ++j)
 
66
@@ -88,7 +95,7 @@
 
67
                nextline = tmpptr;
 
68
                lastline = (i == imax);
 
69
                if (TIFFReadScanline(in, inputline, i, 0) <= 0)
 
70
-                       break;
 
71
+                       goto skip_on_error;
 
72
                inptr = inputline;
 
73
                nextptr = nextline;
 
74
                for (j = 0; j < imagewidth; ++j)
 
75
@@ -126,12 +133,18 @@
 
76
                        }
 
77
                }
 
78
                if (TIFFWriteScanline(out, outline, i-1, 0) < 0)
 
79
-                       break;
 
80
+                       goto skip_on_error;
 
81
        }
 
82
+       goto exit_label;
 
83
+
 
84
+  skip_on_error:
 
85
+       errcode = 1;
 
86
+  exit_label:
 
87
        _TIFFfree(inputline);
 
88
        _TIFFfree(thisline);
 
89
        _TIFFfree(nextline);
 
90
        _TIFFfree(outline);
 
91
+       return errcode;
 
92
 }
 
93
 
 
94
 static uint16 compression = COMPRESSION_PACKBITS;