blob: 828d684708cab23e47259d1fdb5d188e8fac52f4 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
|
From 981e43ecae83935625c86c9118c0778c942c7048 Mon Sep 17 00:00:00 2001
From: Even Rouault <even.rouault@spatialys.com>
Date: Wed, 15 Aug 2018 16:34:40 +0200
Subject: [PATCH] TIFFSetupStrips(): avoid potential uint32 overflow on 32-bit
systems with large number of strips. Probably relates to
http://bugzilla.maptools.org/show_bug.cgi?id=2788 / CVE-2018-10779
---
libtiff/tif_write.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/libtiff/tif_write.c b/libtiff/tif_write.c
index 586f6fdf..a31ecd12 100644
--- a/libtiff/tif_write.c
+++ b/libtiff/tif_write.c
@@ -538,9 +538,11 @@ TIFFSetupStrips(TIFF* tif)
if (td->td_planarconfig == PLANARCONFIG_SEPARATE)
td->td_stripsperimage /= td->td_samplesperpixel;
td->td_stripoffset = (uint64 *)
- _TIFFmalloc(td->td_nstrips * sizeof (uint64));
+ _TIFFCheckMalloc(tif, td->td_nstrips, sizeof (uint64),
+ "for \"StripOffsets\" array");
td->td_stripbytecount = (uint64 *)
- _TIFFmalloc(td->td_nstrips * sizeof (uint64));
+ _TIFFCheckMalloc(tif, td->td_nstrips, sizeof (uint64),
+ "for \"StripByteCounts\" array");
if (td->td_stripoffset == NULL || td->td_stripbytecount == NULL)
return (0);
/*
--
2.18.1
|