https://github.com/libsdl-org/libtiff/commit/9fe360cc7328bfb4be58950846fe45f210fe3359
From 9fe360cc7328bfb4be58950846fe45f210fe3359 Mon Sep 17 00:00:00 2001
From: Bob Friesenhahn <[EMAIL REDACTED]>
Date: Sat, 12 Jun 2010 02:55:16 +0000
Subject: [PATCH] * tools/tiff2rgba.c: Applied portion of patch (from Tom Lane)
which was left out in order to fully resolve "CVE-2009-2347 libtiff: integer
overflows in various inter-color space conversion tools".
http://bugzilla.maptools.org/show_bug.cgi?id=2079
* libtiff/tiffiop.h (TIFFSafeMultiply): Need more castings to
avoid compiler warnings if parameter types are not sign
consistent.
---
ChangeLog | 9 +++++++++
libtiff/tiffiop.h | 4 ++--
tools/tiff2rgba.c | 28 +++++++++++++++++++++++-----
3 files changed, 34 insertions(+), 7 deletions(-)
diff --git a/ChangeLog b/ChangeLog
index 620b84e8..809be972 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,5 +1,14 @@
2010-06-11 Bob Friesenhahn <bfriesen@simple.dallas.tx.us>
+ * tools/tiff2rgba.c: Applied portion of patch (from Tom Lane)
+ which was left out in order to fully resolve "CVE-2009-2347
+ libtiff: integer overflows in various inter-color space conversion
+ tools". http://bugzilla.maptools.org/show_bug.cgi?id=2079
+
+ * libtiff/tiffiop.h (TIFFSafeMultiply): Need more castings to
+ avoid compiler warnings if parameter types are not sign
+ consistent.
+
* tools/tiffcrop.c: Applied patch from Richard Nolde: Corrected
European page size dimensions. Added an option to allow the user
to specify a custom page size on the command line. Fix the case
diff --git a/libtiff/tiffiop.h b/libtiff/tiffiop.h
index 1883507b..a064039f 100644
--- a/libtiff/tiffiop.h
+++ b/libtiff/tiffiop.h
@@ -1,4 +1,4 @@
-/* $Id: tiffiop.h,v 1.51.2.5 2010-06-10 22:52:45 bfriesen Exp $ */
+/* $Id: tiffiop.h,v 1.51.2.6 2010-06-12 02:55:16 bfriesen Exp $ */
/*
* Copyright (c) 1988-1997 Sam Leffler
@@ -243,7 +243,7 @@ struct tiff {
#define TIFFroundup(x, y) (TIFFhowmany(x,y)*(y))
/* Safe multiply which returns zero if there is an integer overflow */
-#define TIFFSafeMultiply(t,v,m) ((((t)m != (t)0) && (((t)v*m)/(t)m == (t)v)) ? (t)v*m : (t)0)
+#define TIFFSafeMultiply(t,v,m) ((((t)m != (t)0) && (((t)((v*m)/m)) == (t)v)) ? (t)(v*m) : (t)0)
#define TIFFmax(A,B) ((A)>(B)?(A):(B))
#define TIFFmin(A,B) ((A)<(B)?(A):(B))
diff --git a/tools/tiff2rgba.c b/tools/tiff2rgba.c
index db060edc..9ba2877f 100644
--- a/tools/tiff2rgba.c
+++ b/tools/tiff2rgba.c
@@ -1,4 +1,4 @@
-/* $Id: tiff2rgba.c,v 1.13.2.2 2010-06-08 18:50:44 bfriesen Exp $ */
+/* $Id: tiff2rgba.c,v 1.13.2.3 2010-06-12 02:55:16 bfriesen Exp $ */
/*
* Copyright (c) 1991-1997 Sam Leffler
@@ -125,6 +125,8 @@ main(int argc, char* argv[])
return (0);
}
+#define multiply(a,b) TIFFSafeMultiply(tsize_t,a,b)
+
static int
cvt_by_tile( TIFF *in, TIFF *out )
@@ -134,6 +136,7 @@ cvt_by_tile( TIFF *in, TIFF *out )
uint32 tile_width, tile_height;
uint32 row, col;
uint32 *wrk_line;
+ tsize_t raster_size;
int ok = 1;
TIFFGetField(in, TIFFTAG_IMAGEWIDTH, &width);
@@ -151,7 +154,14 @@ cvt_by_tile( TIFF *in, TIFF *out )
/*
* Allocate tile buffer
*/
- raster = (uint32*)_TIFFmalloc(tile_width * tile_height * sizeof (uint32));
+ raster_size = multiply(multiply(tile_width, tile_height), sizeof (uint32));
+ if (!raster_size) {
+ TIFFError(TIFFFileName(in),
+ "Can't allocate buffer for raster of size %lux%lu",
+ (unsigned long) tile_width, (unsigned long) tile_height);
+ return (0);
+ }
+ raster = (uint32*)_TIFFmalloc(raster_size);
if (raster == 0) {
TIFFError(TIFFFileName(in), "No space for raster buffer");
return (0);
@@ -159,7 +169,7 @@ cvt_by_tile( TIFF *in, TIFF *out )
/*
* Allocate a scanline buffer for swapping during the vertical
- * mirroring pass.
+ * mirroring pass. (Request can't overflow given prior checks.)
*/
wrk_line = (uint32*)_TIFFmalloc(tile_width * sizeof (uint32));
if (!wrk_line) {
@@ -236,6 +246,7 @@ cvt_by_strip( TIFF *in, TIFF *out )
uint32 width, height; /* image width & height */
uint32 row;
uint32 *wrk_line;
+ tsize_t raster_size;
int ok = 1;
TIFFGetField(in, TIFFTAG_IMAGEWIDTH, &width);
@@ -251,7 +262,14 @@ cvt_by_strip( TIFF *in, TIFF *out )
/*
* Allocate strip buffer
*/
- raster = (uint32*)_TIFFmalloc(width * rowsperstrip * sizeof (uint32));
+ raster_size = multiply(multiply(width, rowsperstrip), sizeof (uint32));
+ if (!raster_size) {
+ TIFFError(TIFFFileName(in),
+ "Can't allocate buffer for raster of size %lux%lu",
+ (unsigned long) width, (unsigned long) rowsperstrip);
+ return (0);
+ }
+ raster = (uint32*)_TIFFmalloc(raster_size);
if (raster == 0) {
TIFFError(TIFFFileName(in), "No space for raster buffer");
return (0);
@@ -259,7 +277,7 @@ cvt_by_strip( TIFF *in, TIFF *out )
/*
* Allocate a scanline buffer for swapping during the vertical
- * mirroring pass.
+ * mirroring pass. (Request can't overflow given prior checks.)
*/
wrk_line = (uint32*)_TIFFmalloc(width * sizeof (uint32));
if (!wrk_line) {