summary refs log tree commit diff
path: root/gnu/packages/patches/libtiff-CVE-2014-8128-pt4.patch
blob: fda4045504fa740eacccd3cdbc01e9d49439c6cf (plain) (blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
Copied from Debian

Picked from CVE: diff -u -r1.14 -r1.15
http://bugzilla.maptools.org/show_bug.cgi?id=2501

Author: Even Rouault <even.rouault@spatialys.com>

--- tiff-4.0.3.orig/tools/tiffdither.c
+++ tiff-4.0.3/tools/tiffdither.c
@@ -39,6 +39,7 @@
 #endif
 
 #include "tiffio.h"
+#include "tiffiop.h"
 
 #define	streq(a,b)	(strcmp(a,b) == 0)
 #define	strneq(a,b,n)	(strncmp(a,b,n) == 0)
@@ -56,7 +57,7 @@ static	void usage(void);
  * Floyd-Steinberg error propragation with threshold.
  * This code is stolen from tiffmedian.
  */
-static void
+static int
 fsdither(TIFF* in, TIFF* out)
 {
 	unsigned char *outline, *inputline, *inptr;
@@ -68,14 +69,19 @@ fsdither(TIFF* in, TIFF* out)
 	int lastline, lastpixel;
 	int bit;
 	tsize_t outlinesize;
+	int errcode = 0;
 
 	imax = imagelength - 1;
 	jmax = imagewidth - 1;
 	inputline = (unsigned char *)_TIFFmalloc(TIFFScanlineSize(in));
-	thisline = (short *)_TIFFmalloc(imagewidth * sizeof (short));
-	nextline = (short *)_TIFFmalloc(imagewidth * sizeof (short));
+	thisline = (short *)_TIFFmalloc(TIFFSafeMultiply(tmsize_t, imagewidth, sizeof (short)));
+	nextline = (short *)_TIFFmalloc(TIFFSafeMultiply(tmsize_t, imagewidth, sizeof (short)));
 	outlinesize = TIFFScanlineSize(out);
 	outline = (unsigned char *) _TIFFmalloc(outlinesize);
+	if (! (inputline && thisline && nextline && outline)) {
+	    fprintf(stderr, "Out of memory.\n");
+	    goto skip_on_error;
+	}
 
 	/*
 	 * Get first line
@@ -93,7 +99,7 @@ fsdither(TIFF* in, TIFF* out)
 		nextline = tmpptr;
 		lastline = (i == imax);
 		if (TIFFReadScanline(in, inputline, i, 0) <= 0)
-			break;
+			goto skip_on_error;
 		inptr = inputline;
 		nextptr = nextline;
 		for (j = 0; j < imagewidth; ++j)
@@ -131,13 +137,18 @@ fsdither(TIFF* in, TIFF* out)
 			}
 		}
 		if (TIFFWriteScanline(out, outline, i-1, 0) < 0)
-			break;
+			goto skip_on_error;
 	}
+	goto exit_label;
+
   skip_on_error:
+	errcode = 1;
+  exit_label:
 	_TIFFfree(inputline);
 	_TIFFfree(thisline);
 	_TIFFfree(nextline);
 	_TIFFfree(outline);
+	return errcode;
 }
 
 static	uint16 compression = COMPRESSION_PACKBITS;