Login
[x]
Log in using an account from:
Fedora Account System
Red Hat Associate
Red Hat Customer
Or login using a Red Hat Bugzilla account
Forgot Password
Login:
Hide Forgot
Create an Account
Red Hat Bugzilla – Attachment 578148 Details for
Bug 810551
CVE-2012-2113 libtiff: integer overflow in tiff2pdf leading to heap-buffer overflow when reading a tiled tiff file
[?]
New
Simple Search
Advanced Search
My Links
Browse
Requests
Reports
Current State
Search
Tabular reports
Graphical reports
Duplicates
Other Reports
User Changes
Plotly Reports
Bug Status
Bug Severity
Non-Defaults
|
Product Dashboard
Help
Page Help!
Bug Writing Guidelines
What's new
Browser Support Policy
5.0.4.rh83 Release notes
FAQ
Guides index
User guide
Web Services
Contact
Legal
This site requires JavaScript to be enabled to function correctly, please enable it.
[patch]
patch for uint32 vs tsize_t problems in libtiff 3.9
libtiff-negsize-3.9.patch (text/plain), 5.02 KB, created by
Tom Lane
on 2012-04-17 20:50:50 UTC
(
hide
)
Description:
patch for uint32 vs tsize_t problems in libtiff 3.9
Filename:
MIME Type:
Creator:
Tom Lane
Created:
2012-04-17 20:50:50 UTC
Size:
5.02 KB
patch
obsolete
>Index: libtiff/tif_strip.c >=================================================================== >RCS file: /cvs/maptools/cvsroot/libtiff/libtiff/tif_strip.c,v >retrieving revision 1.19.2.3 >diff -c -r1.19.2.3 tif_strip.c >*** libtiff/tif_strip.c 15 Dec 2010 00:50:30 -0000 1.19.2.3 >--- libtiff/tif_strip.c 17 Apr 2012 18:14:22 -0000 >*************** >*** 107,112 **** >--- 107,113 ---- > TIFFVStripSize(TIFF* tif, uint32 nrows) > { > TIFFDirectory *td = &tif->tif_dir; >+ uint32 stripsize; > > if (nrows == (uint32) -1) > nrows = td->td_imagelength; >*************** >*** 122,128 **** > * YCbCr data for the extended image. > */ > uint16 ycbcrsubsampling[2]; >! tsize_t w, scanline, samplingarea; > > TIFFGetFieldDefaulted(tif, TIFFTAG_YCBCRSUBSAMPLING, > ycbcrsubsampling + 0, >--- 123,129 ---- > * YCbCr data for the extended image. > */ > uint16 ycbcrsubsampling[2]; >! uint32 w, scanline, samplingarea; > > TIFFGetFieldDefaulted(tif, TIFFTAG_YCBCRSUBSAMPLING, > ycbcrsubsampling + 0, >*************** >*** 141,153 **** > nrows = TIFFroundup(nrows, ycbcrsubsampling[1]); > /* NB: don't need TIFFhowmany here 'cuz everything is rounded */ > scanline = multiply(tif, nrows, scanline, "TIFFVStripSize"); >! return ((tsize_t) > summarize(tif, scanline, > multiply(tif, 2, scanline / samplingarea, >! "TIFFVStripSize"), "TIFFVStripSize")); > } else >! return ((tsize_t) multiply(tif, nrows, TIFFScanlineSize(tif), >! "TIFFVStripSize")); > } > > >--- 142,160 ---- > nrows = TIFFroundup(nrows, ycbcrsubsampling[1]); > /* NB: don't need TIFFhowmany here 'cuz everything is rounded */ > scanline = multiply(tif, nrows, scanline, "TIFFVStripSize"); >! stripsize = > summarize(tif, scanline, > multiply(tif, 2, scanline / samplingarea, >! "TIFFVStripSize"), "TIFFVStripSize"); > } else >! stripsize = multiply(tif, nrows, TIFFScanlineSize(tif), >! "TIFFVStripSize"); >! /* Because tsize_t is signed, we might have conversion overflow */ >! if (((tsize_t) stripsize) < 0) { >! TIFFErrorExt(tif->tif_clientdata, tif->tif_name, "Integer overflow in %s", "TIFFVStripSize"); >! stripsize = 0; >! } >! return (tsize_t) stripsize; > } > > >Index: libtiff/tif_tile.c >=================================================================== >RCS file: /cvs/maptools/cvsroot/libtiff/libtiff/tif_tile.c,v >retrieving revision 1.12.2.1 >diff -c -r1.12.2.1 tif_tile.c >*** libtiff/tif_tile.c 8 Jun 2010 18:50:43 -0000 1.12.2.1 >--- libtiff/tif_tile.c 17 Apr 2012 18:14:22 -0000 >*************** >*** 174,180 **** > TIFFTileRowSize(TIFF* tif) > { > TIFFDirectory *td = &tif->tif_dir; >! tsize_t rowsize; > > if (td->td_tilelength == 0 || td->td_tilewidth == 0) > return ((tsize_t) 0); >--- 174,180 ---- > TIFFTileRowSize(TIFF* tif) > { > TIFFDirectory *td = &tif->tif_dir; >! uint32 rowsize; > > if (td->td_tilelength == 0 || td->td_tilewidth == 0) > return ((tsize_t) 0); >*************** >*** 193,199 **** > TIFFVTileSize(TIFF* tif, uint32 nrows) > { > TIFFDirectory *td = &tif->tif_dir; >! tsize_t tilesize; > > if (td->td_tilelength == 0 || td->td_tilewidth == 0 || > td->td_tiledepth == 0) >--- 193,199 ---- > TIFFVTileSize(TIFF* tif, uint32 nrows) > { > TIFFDirectory *td = &tif->tif_dir; >! uint32 tilesize; > > if (td->td_tilelength == 0 || td->td_tilewidth == 0 || > td->td_tiledepth == 0) >*************** >*** 209,220 **** > * horizontal/vertical subsampling area include > * YCbCr data for the extended image. > */ >! tsize_t w = > TIFFroundup(td->td_tilewidth, td->td_ycbcrsubsampling[0]); >! tsize_t rowsize = > TIFFhowmany8(multiply(tif, w, td->td_bitspersample, > "TIFFVTileSize")); >! tsize_t samplingarea = > td->td_ycbcrsubsampling[0]*td->td_ycbcrsubsampling[1]; > if (samplingarea == 0) { > TIFFErrorExt(tif->tif_clientdata, tif->tif_name, "Invalid YCbCr subsampling"); >--- 209,220 ---- > * horizontal/vertical subsampling area include > * YCbCr data for the extended image. > */ >! uint32 w = > TIFFroundup(td->td_tilewidth, td->td_ycbcrsubsampling[0]); >! uint32 rowsize = > TIFFhowmany8(multiply(tif, w, td->td_bitspersample, > "TIFFVTileSize")); >! uint32 samplingarea = > td->td_ycbcrsubsampling[0]*td->td_ycbcrsubsampling[1]; > if (samplingarea == 0) { > TIFFErrorExt(tif->tif_clientdata, tif->tif_name, "Invalid YCbCr subsampling"); >*************** >*** 230,237 **** > } else > tilesize = multiply(tif, nrows, TIFFTileRowSize(tif), > "TIFFVTileSize"); >! return ((tsize_t) >! multiply(tif, tilesize, td->td_tiledepth, "TIFFVTileSize")); > } > > /* >--- 230,242 ---- > } else > tilesize = multiply(tif, nrows, TIFFTileRowSize(tif), > "TIFFVTileSize"); >! tilesize = multiply(tif, tilesize, td->td_tiledepth, "TIFFVTileSize"); >! /* Because tsize_t is signed, we might have conversion overflow */ >! if (((tsize_t) tilesize) < 0) { >! TIFFErrorExt(tif->tif_clientdata, tif->tif_name, "Integer overflow in %s", "TIFFVTileSize"); >! tilesize = 0; >! } >! return (tsize_t) tilesize; > } > > /*
You cannot view the attachment while viewing its details because your browser does not support IFRAMEs.
View the attachment on a separate page
.
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 810551
:
576121
| 578148 |
578149