diff options
Diffstat (limited to 'gnu/packages/patches/libtiff-CVE-2016-3945.patch')
| -rw-r--r-- | gnu/packages/patches/libtiff-CVE-2016-3945.patch | 94 |
1 files changed, 0 insertions, 94 deletions
diff --git a/gnu/packages/patches/libtiff-CVE-2016-3945.patch b/gnu/packages/patches/libtiff-CVE-2016-3945.patch deleted file mode 100644 index 8ec62bab99..0000000000 --- a/gnu/packages/patches/libtiff-CVE-2016-3945.patch +++ /dev/null @@ -1,94 +0,0 @@ -Fix CVE-2016-3945 (integer overflow in size of allocated -buffer, when -b mode is enabled, that could result in out-of-bounds -write). - -https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3945 -http://bugzilla.maptools.org/show_bug.cgi?id=2545 - -Patch extracted from upstream CVS repo with: -$ cvs diff -u -r1.21 -r1.22 tools/tiff2rgba.c - -Index: tools/tiff2rgba.c -=================================================================== -RCS file: /cvs/maptools/cvsroot/libtiff/tools/tiff2rgba.c,v -retrieving revision 1.21 -retrieving revision 1.22 -diff -u -r1.21 -r1.22 ---- libtiff/tools/tiff2rgba.c 21 Jun 2015 01:09:10 -0000 1.21 -+++ libtiff/tools/tiff2rgba.c 15 Aug 2016 20:06:41 -0000 1.22 -@@ -147,6 +147,7 @@ - uint32 row, col; - uint32 *wrk_line; - int ok = 1; -+ uint32 rastersize, wrk_linesize; - - TIFFGetField(in, TIFFTAG_IMAGEWIDTH, &width); - TIFFGetField(in, TIFFTAG_IMAGELENGTH, &height); -@@ -163,7 +164,13 @@ - /* - * Allocate tile buffer - */ -- raster = (uint32*)_TIFFmalloc(tile_width * tile_height * sizeof (uint32)); -+ rastersize = tile_width * tile_height * sizeof (uint32); -+ if (tile_width != (rastersize / tile_height) / sizeof( uint32)) -+ { -+ TIFFError(TIFFFileName(in), "Integer overflow when calculating raster buffer"); -+ exit(-1); -+ } -+ raster = (uint32*)_TIFFmalloc(rastersize); - if (raster == 0) { - TIFFError(TIFFFileName(in), "No space for raster buffer"); - return (0); -@@ -173,7 +180,13 @@ - * Allocate a scanline buffer for swapping during the vertical - * mirroring pass. - */ -- wrk_line = (uint32*)_TIFFmalloc(tile_width * sizeof (uint32)); -+ wrk_linesize = tile_width * sizeof (uint32); -+ if (tile_width != wrk_linesize / sizeof (uint32)) -+ { -+ TIFFError(TIFFFileName(in), "Integer overflow when calculating wrk_line buffer"); -+ exit(-1); -+ } -+ wrk_line = (uint32*)_TIFFmalloc(wrk_linesize); - if (!wrk_line) { - TIFFError(TIFFFileName(in), "No space for raster scanline buffer"); - ok = 0; -@@ -249,6 +262,7 @@ - uint32 row; - uint32 *wrk_line; - int ok = 1; -+ uint32 rastersize, wrk_linesize; - - TIFFGetField(in, TIFFTAG_IMAGEWIDTH, &width); - TIFFGetField(in, TIFFTAG_IMAGELENGTH, &height); -@@ -263,7 +277,13 @@ - /* - * Allocate strip buffer - */ -- raster = (uint32*)_TIFFmalloc(width * rowsperstrip * sizeof (uint32)); -+ rastersize = width * rowsperstrip * sizeof (uint32); -+ if (width != (rastersize / rowsperstrip) / sizeof( uint32)) -+ { -+ TIFFError(TIFFFileName(in), "Integer overflow when calculating raster buffer"); -+ exit(-1); -+ } -+ raster = (uint32*)_TIFFmalloc(rastersize); - if (raster == 0) { - TIFFError(TIFFFileName(in), "No space for raster buffer"); - return (0); -@@ -273,7 +293,13 @@ - * Allocate a scanline buffer for swapping during the vertical - * mirroring pass. - */ -- wrk_line = (uint32*)_TIFFmalloc(width * sizeof (uint32)); -+ wrk_linesize = width * sizeof (uint32); -+ if (width != wrk_linesize / sizeof (uint32)) -+ { -+ TIFFError(TIFFFileName(in), "Integer overflow when calculating wrk_line buffer"); -+ exit(-1); -+ } -+ wrk_line = (uint32*)_TIFFmalloc(wrk_linesize); - if (!wrk_line) { - TIFFError(TIFFFileName(in), "No space for raster scanline buffer"); - ok = 0; |