aboutsummaryrefslogtreecommitdiffstats
path: root/main/tiff/CVE-2018-10779.patch
diff options
context:
space:
mode:
Diffstat (limited to 'main/tiff/CVE-2018-10779.patch')
-rw-r--r--main/tiff/CVE-2018-10779.patch32
1 files changed, 32 insertions, 0 deletions
diff --git a/main/tiff/CVE-2018-10779.patch b/main/tiff/CVE-2018-10779.patch
new file mode 100644
index 0000000000..828d684708
--- /dev/null
+++ b/main/tiff/CVE-2018-10779.patch
@@ -0,0 +1,32 @@
+From 981e43ecae83935625c86c9118c0778c942c7048 Mon Sep 17 00:00:00 2001
+From: Even Rouault <even.rouault@spatialys.com>
+Date: Wed, 15 Aug 2018 16:34:40 +0200
+Subject: [PATCH] TIFFSetupStrips(): avoid potential uint32 overflow on 32-bit
+ systems with large number of strips. Probably relates to
+ http://bugzilla.maptools.org/show_bug.cgi?id=2788 / CVE-2018-10779
+
+---
+ libtiff/tif_write.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/libtiff/tif_write.c b/libtiff/tif_write.c
+index 586f6fdf..a31ecd12 100644
+--- a/libtiff/tif_write.c
++++ b/libtiff/tif_write.c
+@@ -538,9 +538,11 @@ TIFFSetupStrips(TIFF* tif)
+ if (td->td_planarconfig == PLANARCONFIG_SEPARATE)
+ td->td_stripsperimage /= td->td_samplesperpixel;
+ td->td_stripoffset = (uint64 *)
+- _TIFFmalloc(td->td_nstrips * sizeof (uint64));
++ _TIFFCheckMalloc(tif, td->td_nstrips, sizeof (uint64),
++ "for \"StripOffsets\" array");
+ td->td_stripbytecount = (uint64 *)
+- _TIFFmalloc(td->td_nstrips * sizeof (uint64));
++ _TIFFCheckMalloc(tif, td->td_nstrips, sizeof (uint64),
++ "for \"StripByteCounts\" array");
+ if (td->td_stripoffset == NULL || td->td_stripbytecount == NULL)
+ return (0);
+ /*
+--
+2.18.1
+