summary refs log tree commit diff
path: root/gnu/packages/patches/libtiff-CVE-2014-9330.patch
blob: c3c5fc03676391e19a725d53f253e638b7696d22 (plain) (blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
Copied from Debian

Description: CVE-2014-9330
 Integer overflow in bmp2tiff
Origin: upstream, http://bugzilla.maptools.org/show_bug.cgi?id=2494
Bug: http://bugzilla.maptools.org/show_bug.cgi?id=2494
Bug-Debian: http://bugs.debian.org/773987

Index: tiff/tools/bmp2tiff.c
===================================================================
--- tiff.orig/tools/bmp2tiff.c
+++ tiff/tools/bmp2tiff.c
@@ -1,4 +1,4 @@
-/* $Id: bmp2tiff.c,v 1.23 2010-03-10 18:56:49 bfriesen Exp $
+/* $Id: bmp2tiff.c,v 1.24 2014-12-21 15:15:32 erouault Exp $
  *
  * Project:  libtiff tools
  * Purpose:  Convert Windows BMP files in TIFF.
@@ -403,6 +403,13 @@ main(int argc, char* argv[])
 
 		width = info_hdr.iWidth;
 		length = (info_hdr.iHeight > 0) ? info_hdr.iHeight : -info_hdr.iHeight;
+        if( width <= 0 || length <= 0 )
+        {
+            TIFFError(infilename,
+                  "Invalid dimensions of BMP file" );
+            close(fd);
+            return -1;
+        }
 
 		switch (info_hdr.iBitCount)
 		{
@@ -593,6 +600,14 @@ main(int argc, char* argv[])
 
 			compr_size = file_hdr.iSize - file_hdr.iOffBits;
 			uncompr_size = width * length;
+            /* Detect int overflow */
+            if( uncompr_size / width != length )
+            {
+                TIFFError(infilename,
+                    "Invalid dimensions of BMP file" );
+                close(fd);
+                return -1;
+            }
 			comprbuf = (unsigned char *) _TIFFmalloc( compr_size );
 			if (!comprbuf) {
 				TIFFError(infilename,