Репозитории ALT
| S: | 4.4.0-alt4 |
| 5.1: | 3.9.5-alt1.M50P.1 |
| 4.1: | 3.8.2-alt2.M41.4 |
| 4.0: | 3.8.2-alt2 |
| +updates: | 3.8.2-alt2 |
| 3.0: | 3.7.2-alt5 |
Группа :: Система/Библиотеки
Пакет: libtiff
навигация по пакетам
Главная Изменения Спек Патчи Sources Загрузить Gear Bugs and FR Repocop
Патч: libtiff-3.8.2-CVE-2010-1411.patch
Скачать
Скачать
Index: libtiff/tif_fax3.c
===================================================================
RCS file: /cvs/maptools/cvsroot/libtiff/libtiff/tif_fax3.c,v
retrieving revision 1.43.2.8
retrieving revision 1.43.2.10
diff -u -p -r1.43.2.8 -r1.43.2.10
--- libtiff/tif_fax3.c 8 Jun 2010 18:50:42 -0000 1.43.2.8
+++ libtiff/tif_fax3.c 9 Jun 2010 17:16:58 -0000 1.43.2.10
@@ -493,10 +493,26 @@ Fax3SetupState(TIFF* tif)
td->td_compression == COMPRESSION_CCITTFAX4
);
- nruns = needsRefLine ? 2*TIFFroundup(rowpixels,32) : rowpixels;
-
- dsp->runs = (uint32*) _TIFFCheckMalloc(tif, 2*nruns+3, sizeof (uint32),
- "for Group 3/4 run arrays");
+ /*
+ Assure that allocation computations do not overflow.
+
+ TIFFroundup and TIFFSafeMultiply return zero on integer overflow
+ */
+ dsp->runs=(uint32*) NULL;
+ nruns = TIFFroundup(rowpixels,32);
+ if (needsRefLine) {+ nruns = TIFFSafeMultiply(uint32,nruns,2);
+ }
+ if ((nruns == 0) || (TIFFSafeMultiply(uint32,nruns,2) == 0)) {+ TIFFErrorExt(tif->tif_clientdata, tif->tif_name,
+ "Row pixels integer overflow (rowpixels %u)",
+ rowpixels);
+ return (0);
+ }
+ dsp->runs = (uint32*) _TIFFCheckMalloc(tif,
+ TIFFSafeMultiply(uint32,nruns,2),
+ sizeof (uint32),
+ "for Group 3/4 run arrays");
if (dsp->runs == NULL)
return (0);
dsp->curruns = dsp->runs;
Index: libtiff/tiffiop.h
===================================================================
RCS file: /cvs/maptools/cvsroot/libtiff/libtiff/tiffiop.h,v
retrieving revision 1.51.2.2
retrieving revision 1.51.2.5
diff -u -p -r1.51.2.2 -r1.51.2.5
--- libtiff/tiffiop.h 8 Jun 2010 18:50:43 -0000 1.51.2.2
+++ libtiff/tiffiop.h 10 Jun 2010 22:52:45 -0000 1.51.2.5
@@ -236,10 +236,15 @@ struct tiff {#endif
/* NB: the uint32 casts are to silence certain ANSI-C compilers */
-#define TIFFhowmany(x, y) ((((uint32)(x))+(((uint32)(y))-1))/((uint32)(y)))
+#define TIFFhowmany(x, y) (((uint32)x < (0xffffffff - (uint32)(y-1))) ? \
+ ((((uint32)(x))+(((uint32)(y))-1))/((uint32)(y))) : \
+ 0U)
#define TIFFhowmany8(x) (((x)&0x07)?((uint32)(x)>>3)+1:(uint32)(x)>>3)
#define TIFFroundup(x, y) (TIFFhowmany(x,y)*(y))
+/* Safe multiply which returns zero if there is an integer overflow */
+#define TIFFSafeMultiply(t,v,m) ((((t)m != (t)0) && (((t)v*m)/(t)m == (t)v)) ? (t)v*m : (t)0)
+
#define TIFFmax(A,B) ((A)>(B)?(A):(B))
#define TIFFmin(A,B) ((A)<(B)?(A):(B))