summary refs log tree commit diff
path: root/gnu/packages/patches/libtiff-CVE-2012-4564.patch
diff options
context:
space:
mode:
Diffstat (limited to 'gnu/packages/patches/libtiff-CVE-2012-4564.patch')
-rw-r--r--gnu/packages/patches/libtiff-CVE-2012-4564.patch33
1 files changed, 33 insertions, 0 deletions
diff --git a/gnu/packages/patches/libtiff-CVE-2012-4564.patch b/gnu/packages/patches/libtiff-CVE-2012-4564.patch
new file mode 100644
index 0000000000..472f9ca35f
--- /dev/null
+++ b/gnu/packages/patches/libtiff-CVE-2012-4564.patch
@@ -0,0 +1,33 @@
+Copied from Debian
+
+Index: tiff-4.0.3/tools/ppm2tiff.c
+===================================================================
+--- tiff-4.0.3.orig/tools/ppm2tiff.c	2013-06-23 10:36:50.779629492 -0400
++++ tiff-4.0.3/tools/ppm2tiff.c	2013-06-23 10:36:50.775629494 -0400
+@@ -89,6 +89,7 @@
+ 	int c;
+ 	extern int optind;
+ 	extern char* optarg;
++	tmsize_t scanline_size;
+ 
+ 	if (argc < 2) {
+ 	    fprintf(stderr, "%s: Too few arguments\n", argv[0]);
+@@ -237,8 +238,16 @@
+ 	}
+ 	if (TIFFScanlineSize(out) > linebytes)
+ 		buf = (unsigned char *)_TIFFmalloc(linebytes);
+-	else
+-		buf = (unsigned char *)_TIFFmalloc(TIFFScanlineSize(out));
++	else {
++		scanline_size = TIFFScanlineSize(out);
++		if (scanline_size != 0)
++			buf = (unsigned char *)_TIFFmalloc(TIFFScanlineSize(out));
++		else {
++			fprintf(stderr, "%s: scanline size overflow\n",infile);
++			(void) TIFFClose(out);
++			exit(-2);
++			}
++		}
+ 	if (resolution > 0) {
+ 		TIFFSetField(out, TIFFTAG_XRESOLUTION, resolution);
+ 		TIFFSetField(out, TIFFTAG_YRESOLUTION, resolution);
generated by cgit-pink 1.4.1 (git 2.36.1) at 2025-01-07 23:12:35 +0000