← Back to branch summary

~ubuntu-branches/ubuntu/quantal/tiff/quantal-security

« back to all changes in this revision

Viewing changes to debian/patches/CVE-2009-2347.patch

  • Committer: Bazaar Package Importer
  • Author(s): Jay Berkenbilt
  • Date: 2009-07-12 18:03:33 UTC
  • Revision ID: james.westby@ubuntu.com-20090712180333-5x1qofl4mp5dhsa7
Tags: 3.8.2-13
* Apply patches to fix CVE-2009-2347, which covers two integer overflow
  conditions.
* LZW patch from last update addressed CVE-2009-2285.  Renamed the patch
  to make this clearer.

Show diffs side-by-side

added added

removed removed

Lines of Context:
debian/patches/CVE-2009-2347.patch
 
1
Index: tiff-3.8.2/tools/rgb2ycbcr.c
 
2
===================================================================
 
3
--- tiff-3.8.2.orig/tools/rgb2ycbcr.c   2009-07-12 14:37:00.967192158 -0400
 
4
+++ tiff-3.8.2/tools/rgb2ycbcr.c        2009-07-12 14:37:20.287192468 -0400
 
5
@@ -34,6 +34,7 @@
 
6
 # include <unistd.h>
 
7
 #endif
 
8
 
 
9
+#include "tiffiop.h"
 
10
 #include "tiffio.h"
 
11
 
 
12
 #define        streq(a,b)      (strcmp(a,b) == 0)
 
13
@@ -279,13 +280,30 @@
 
14
        char *stringv;
 
15
        uint32 longv;
 
16
 
 
17
+       size_t pixel_count;
 
18
        TIFFGetField(in, TIFFTAG_IMAGEWIDTH, &width);
 
19
        TIFFGetField(in, TIFFTAG_IMAGELENGTH, &height);
 
20
-       raster = (uint32*)_TIFFmalloc(width * height * sizeof (uint32));
 
21
+       pixel_count = width * height;
 
22
+
 
23
+       /* XXX: Check the integer overflow. */
 
24
+       if (!width || !height || pixel_count / width != height) {
 
25
+               TIFFError(TIFFFileName(in),
 
26
+                         "Malformed input file; "
 
27
+                         "can't allocate buffer for raster of %lux%lu size",
 
28
+                         (unsigned long)width, (unsigned long)height);
 
29
+               return 0;
 
30
+       }
 
31
+
 
32
+       raster = (uint32*)_TIFFCheckMalloc(in, pixel_count, sizeof(uint32),
 
33
+                                          "raster buffer");
 
34
        if (raster == 0) {
 
35
-               TIFFError(TIFFFileName(in), "No space for raster buffer");
 
36
+               TIFFError(TIFFFileName(in),
 
37
+                         "Requested buffer size is %lu elements %lu each",
 
38
+                         (unsigned long)pixel_count,
 
39
+                         (unsigned long)sizeof(uint32));
 
40
                return (0);
 
41
        }
 
42
+
 
43
        if (!TIFFReadRGBAImage(in, width, height, raster, 0)) {
 
44
                _TIFFfree(raster);
 
45
                return (0);
 
46
Index: tiff-3.8.2/tools/tiff2rgba.c
 
47
===================================================================
 
48
--- tiff-3.8.2.orig/tools/tiff2rgba.c   2009-07-12 14:37:00.975192458 -0400
 
49
+++ tiff-3.8.2/tools/tiff2rgba.c        2009-07-12 14:37:20.295191816 -0400
 
50
@@ -34,6 +34,7 @@
 
51
 # include <unistd.h>
 
52
 #endif
 
53
 
 
54
+#include "tiffiop.h"
 
55
 #include "tiffio.h"
 
56
 
 
57
 #define        streq(a,b)      (strcmp(a,b) == 0)
 
58
@@ -328,16 +329,27 @@
 
59
     uint32* raster;                    /* retrieve RGBA image */
 
60
     uint32  width, height;             /* image width & height */
 
61
     uint32  row;
 
62
+    size_t pixel_count;
 
63
         
 
64
     TIFFGetField(in, TIFFTAG_IMAGEWIDTH, &width);
 
65
     TIFFGetField(in, TIFFTAG_IMAGELENGTH, &height);
 
66
+    pixel_count = width * height;
 
67
+
 
68
+    /* XXX: Check the integer overflow. */
 
69
+    if (!width || !height || pixel_count / width != height) {
 
70
+        TIFFError(TIFFFileName(in),
 
71
+                 "Malformed input file; can't allocate buffer for raster of %lux%lu size",
 
72
+                 (unsigned long)width, (unsigned long)height);
 
73
+        return 0;
 
74
+    }
 
75
 
 
76
     rowsperstrip = TIFFDefaultStripSize(out, rowsperstrip);
 
77
     TIFFSetField(out, TIFFTAG_ROWSPERSTRIP, rowsperstrip);
 
78
 
 
79
-    raster = (uint32*)_TIFFmalloc(width * height * sizeof (uint32));
 
80
+    raster = (uint32*)_TIFFCheckMalloc(in, pixel_count, sizeof(uint32), "raster buffer");
 
81
     if (raster == 0) {
 
82
-        TIFFError(TIFFFileName(in), "No space for raster buffer");
 
83
+        TIFFError(TIFFFileName(in), "Requested buffer size is %lu elements %lu each",
 
84
+                 (unsigned long)pixel_count, (unsigned long)sizeof(uint32));
 
85
         return (0);
 
86
     }
 
87
 
 
88
@@ -353,18 +365,18 @@
 
89
     */
 
90
     if( no_alpha )
 
91
     {
 
92
-        int    pixel_count = width * height;
 
93
+        size_t count = pixel_count;
 
94
         unsigned char *src, *dst;
 
95
 
 
96
         src = (unsigned char *) raster;
 
97
         dst = (unsigned char *) raster;
 
98
-        while( pixel_count > 0 )
 
99
+        while(count > 0)
 
100
         {
 
101
             *(dst++) = *(src++);
 
102
             *(dst++) = *(src++);
 
103
             *(dst++) = *(src++);
 
104
             src++;
 
105
-            pixel_count--;
 
106
+            count--;
 
107
         }
 
108
     }
 
109