https://github.com/libsdl-org/libtiff/commit/3f8d15254aa69d310d09e9c84e11d26c8491739a
From 3f8d15254aa69d310d09e9c84e11d26c8491739a Mon Sep 17 00:00:00 2001
From: Tom Lane <[EMAIL REDACTED]>
Date: Mon, 10 Dec 2012 18:27:35 +0000
Subject: [PATCH] Back-patch fix for CVE-2012-4564
---
ChangeLog | 4 ++++
tools/ppm2tiff.c | 39 ++++++++++++++++++++++++++++++++++-----
2 files changed, 38 insertions(+), 5 deletions(-)
diff --git a/ChangeLog b/ChangeLog
index 6d6d2d19..6e2d47cf 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,7 @@
+2012-12-10 Tom Lane <tgl@sss.pgh.pa.us>
+
+ * tools/ppm2tiff.c: Back-patch fix for CVE-2012-4564.
+
2012-12-10 Tom Lane <tgl@sss.pgh.pa.us>
* libtiff/tif_pixarlog.c: Back-patch recent security fixes for
diff --git a/tools/ppm2tiff.c b/tools/ppm2tiff.c
index 6078459f..ec8be5d4 100644
--- a/tools/ppm2tiff.c
+++ b/tools/ppm2tiff.c
@@ -1,4 +1,4 @@
-/* $Id: ppm2tiff.c,v 1.13.2.2 2010-06-08 18:50:44 bfriesen Exp $ */
+/* $Id: ppm2tiff.c,v 1.13.2.3 2012-12-10 18:27:35 tgl Exp $ */
/*
* Copyright (c) 1991-1997 Sam Leffler
@@ -68,6 +68,17 @@ BadPPM(char* file)
exit(-2);
}
+static tsize_t
+multiply_ms(tsize_t m1, tsize_t m2)
+{
+ tsize_t bytes = m1 * m2;
+
+ if (m1 && bytes / m1 != m2)
+ bytes = 0;
+
+ return bytes;
+}
+
int
main(int argc, char* argv[])
{
@@ -85,6 +96,7 @@ main(int argc, char* argv[])
int c;
extern int optind;
extern char* optarg;
+ tsize_t scanline_size;
if (argc < 2) {
fprintf(stderr, "%s: Too few arguments\n", argv[0]);
@@ -217,7 +229,8 @@ main(int argc, char* argv[])
}
switch (bpp) {
case 1:
- linebytes = (spp * w + (8 - 1)) / 8;
+ /* if round-up overflows, result will be zero, OK */
+ linebytes = (multiply_ms(spp, w) + (8 - 1)) / 8;
if (rowsperstrip == (uint32) -1) {
TIFFSetField(out, TIFFTAG_ROWSPERSTRIP, h);
} else {
@@ -226,15 +239,31 @@ main(int argc, char* argv[])
}
break;
case 8:
- linebytes = spp * w;
+ linebytes = multiply_ms(spp, w);
TIFFSetField(out, TIFFTAG_ROWSPERSTRIP,
TIFFDefaultStripSize(out, rowsperstrip));
break;
}
- if (TIFFScanlineSize(out) > linebytes)
+ if (linebytes == 0) {
+ fprintf(stderr, "%s: scanline size overflow\n", infile);
+ (void) TIFFClose(out);
+ exit(-2);
+ }
+ scanline_size = TIFFScanlineSize(out);
+ if (scanline_size == 0) {
+ /* overflow - TIFFScanlineSize already printed a message */
+ (void) TIFFClose(out);
+ exit(-2);
+ }
+ if (scanline_size < linebytes)
buf = (unsigned char *)_TIFFmalloc(linebytes);
else
- buf = (unsigned char *)_TIFFmalloc(TIFFScanlineSize(out));
+ buf = (unsigned char *)_TIFFmalloc(scanline_size);
+ if (buf == NULL) {
+ fprintf(stderr, "%s: Not enough memory\n", infile);
+ (void) TIFFClose(out);
+ exit(-2);
+ }
if (resolution > 0) {
TIFFSetField(out, TIFFTAG_XRESOLUTION, resolution);
TIFFSetField(out, TIFFTAG_YRESOLUTION, resolution);