File tiff-CVE-2020-35523.patch of Package tiff

Overview Repositories Revisions Requests Users Attributes Meta

File tiff-CVE-2020-35523.patch of Package tiff (Revision 77ffff1c1b12a7e20e7aed3926fbb2bb)

Currently displaying revision 77ffff1c1b12a7e20e7aed3926fbb2bb , Show latest

Index: tiff-4.0.9/libtiff/tif_getimage.c
===================================================================
--- tiff-4.0.9.orig/libtiff/tif_getimage.c
+++ tiff-4.0.9/libtiff/tif_getimage.c
@@ -31,6 +31,7 @@
  */
 #include "tiffiop.h"
 #include <stdio.h>
+#include <limits.h>
 
 static int gtTileContig(TIFFRGBAImage*, uint32*, uint32, uint32);
 static int gtTileSeparate(TIFFRGBAImage*, uint32*, uint32, uint32);
@@ -647,12 +648,20 @@ gtTileContig(TIFFRGBAImage* img, uint32*
 
     flip = setorientation(img);
     if (flip & FLIP_VERTICALLY) {
-	    y = h - 1;
-	    toskew = -(int32)(tw + w);
+		if ((tw + w) > INT_MAX) {
+			TIFFErrorExt(tif->tif_clientdata, TIFFFileName(tif), "%s", "unsupported tile size (too wide)");
+			return (0);
+		}
+		y = h - 1;
+		toskew = -(int32)(tw + w);
     }
     else {
-	    y = 0;
-	    toskew = -(int32)(tw - w);
+		if (tw > (INT_MAX + w)) {
+			TIFFErrorExt(tif->tif_clientdata, TIFFFileName(tif), "%s", "unsupported tile size (too wide)");
+			return (0);
+		}
+		y = 0;
+		toskew = -(int32)(tw - w);
     }
      
     /*

Places

File tiff-CVE-2020-35523.patch of Package tiff (Revision 77ffff1c1b12a7e20e7aed3926fbb2bb)

Places