From c9db90c1a76c0f93da87c3ae32a6037c407b6d65 Mon Sep 17 00:00:00 2001
From: Ozkan Sezer <[EMAIL REDACTED]>
Date: Sun, 10 Dec 2023 05:51:00 +0300
Subject: [PATCH] tiffcp: fix memory corruption (overflow) on hostile images
(CVE-2023-40745)
From debian. Patch authored by Arie Haenel.
---
tools/tiffcp.c | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/tools/tiffcp.c b/tools/tiffcp.c
index 825cfc0c..cca22963 100644
--- a/tools/tiffcp.c
+++ b/tools/tiffcp.c
@@ -1490,6 +1490,13 @@ DECLAREreadFunc(readSeparateTilesIntoBuffer)
TIFFError(TIFFFileName(in), "Error, cannot handle that much samples per tile row (Tile Width * Samples/Pixel)");
return 0;
}
+
+ if ( (imagew - tilew * spp) > INT_MAX ){
+ TIFFError(TIFFFileName(in),
+ "Error, image raster scan line size is too large");
+ return 0;
+ }
+
iskew = imagew - tilew*spp;
tilebuf = limitMalloc(tilesize);
if (tilebuf == 0)