Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
SUSE:SLE-15-SP7:Update
tiff.31355
tiff-CVE-2019-17546.patch
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File tiff-CVE-2019-17546.patch of Package tiff.31355
Index: tiff-4.0.9/libtiff/tif_getimage.c =================================================================== --- tiff-4.0.9.orig/libtiff/tif_getimage.c +++ tiff-4.0.9/libtiff/tif_getimage.c @@ -960,16 +960,23 @@ gtStripContig(TIFFRGBAImage* img, uint32 fromskew = (w < imagewidth ? imagewidth - w : 0); for (row = 0; row < h; row += nrow) { + uint32 temp; rowstoread = rowsperstrip - (row + img->row_offset) % rowsperstrip; nrow = (row + rowstoread > h ? h - row : rowstoread); nrowsub = nrow; if ((nrowsub%subsamplingver)!=0) nrowsub+=subsamplingver-nrowsub%subsamplingver; + temp = (row + img->row_offset)%rowsperstrip + nrowsub; + if( scanline > 0 && temp > (size_t)(TIFF_TMSIZE_T_MAX / scanline) ) + { + TIFFErrorExt(tif->tif_clientdata, TIFFFileName(tif), "Integer overflow in gtStripContig"); + return 0; + } if (_TIFFReadEncodedStripAndAllocBuffer(tif, TIFFComputeStrip(tif,row+img->row_offset, 0), (void**)(&buf), maxstripsize, - ((row + img->row_offset)%rowsperstrip + nrowsub) * scanline)==(tmsize_t)(-1) + temp * scanline)==(tmsize_t)(-1) && (buf == NULL || img->stoponerr)) { ret = 0; @@ -1062,15 +1069,22 @@ gtStripSeparate(TIFFRGBAImage* img, uint fromskew = (w < imagewidth ? imagewidth - w : 0); for (row = 0; row < h; row += nrow) { + uint32 temp; rowstoread = rowsperstrip - (row + img->row_offset) % rowsperstrip; nrow = (row + rowstoread > h ? h - row : rowstoread); offset_row = row + img->row_offset; + temp = (row + img->row_offset)%rowsperstrip + nrow; + if( scanline > 0 && temp > (size_t)(TIFF_TMSIZE_T_MAX / scanline) ) + { + TIFFErrorExt(tif->tif_clientdata, TIFFFileName(tif), "Integer overflow in gtStripSeparate"); + return 0; + } if( buf == NULL ) { if (_TIFFReadEncodedStripAndAllocBuffer( tif, TIFFComputeStrip(tif, offset_row, 0), (void**) &buf, bufsize, - ((row + img->row_offset)%rowsperstrip + nrow) * scanline)==(tmsize_t)(-1) + temp * scanline)==(tmsize_t)(-1) && (buf == NULL || img->stoponerr)) { ret = 0; @@ -1090,7 +1104,7 @@ gtStripSeparate(TIFFRGBAImage* img, uint } } else if (TIFFReadEncodedStrip(tif, TIFFComputeStrip(tif, offset_row, 0), - p0, ((row + img->row_offset)%rowsperstrip + nrow) * scanline)==(tmsize_t)(-1) + p0, temp * scanline)==(tmsize_t)(-1) && img->stoponerr) { ret = 0; @@ -1098,7 +1112,7 @@ gtStripSeparate(TIFFRGBAImage* img, uint } if (colorchannels > 1 && TIFFReadEncodedStrip(tif, TIFFComputeStrip(tif, offset_row, 1), - p1, ((row + img->row_offset)%rowsperstrip + nrow) * scanline) == (tmsize_t)(-1) + p1, temp * scanline) == (tmsize_t)(-1) && img->stoponerr) { ret = 0; @@ -1106,7 +1120,7 @@ gtStripSeparate(TIFFRGBAImage* img, uint } if (colorchannels > 1 && TIFFReadEncodedStrip(tif, TIFFComputeStrip(tif, offset_row, 2), - p2, ((row + img->row_offset)%rowsperstrip + nrow) * scanline) == (tmsize_t)(-1) + p2, temp * scanline) == (tmsize_t)(-1) && img->stoponerr) { ret = 0; @@ -1115,7 +1129,7 @@ gtStripSeparate(TIFFRGBAImage* img, uint if (alpha) { if (TIFFReadEncodedStrip(tif, TIFFComputeStrip(tif, offset_row, colorchannels), - pa, ((row + img->row_offset)%rowsperstrip + nrow) * scanline)==(tmsize_t)(-1) + pa, temp * scanline)==(tmsize_t)(-1) && img->stoponerr) { ret = 0;
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor