aboutsummaryrefslogtreecommitdiffstats
path: root/community/evince/CVE-2019-11459.patch
blob: b331a0c30ad0dc02f4b237d075b320c3b28ed05c (plain) (blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
From 234f034a4d15cd46dd556f4945f99fbd57ef5f15 Mon Sep 17 00:00:00 2001
From: Jason Crain <jcrain@src.gnome.org>
Date: Mon, 15 Apr 2019 23:06:36 -0600
Subject: [PATCH] tiff: Handle failure from TIFFReadRGBAImageOriented

The TIFFReadRGBAImageOriented function returns zero if it was unable to
read the image. Return NULL in this case instead of displaying
uninitialized memory.

Fixes #1129
---
 backend/tiff/tiff-document.c | 28 ++++++++++++++++++----------
 1 file changed, 18 insertions(+), 10 deletions(-)

diff --git a/backend/tiff/tiff-document.c b/backend/tiff/tiff-document.c
index 7715031b..38bb3bd8 100644
--- a/backend/tiff/tiff-document.c
+++ b/backend/tiff/tiff-document.c
@@ -292,18 +292,22 @@ tiff_document_render (EvDocument      *document,
 		g_warning("Failed to allocate memory for rendering.");
 		return NULL;
 	}
-	
+
+	if (!TIFFReadRGBAImageOriented (tiff_document->tiff,
+					width, height,
+					(uint32 *)pixels,
+					orientation, 0)) {
+		g_warning ("Failed to read TIFF image.");
+		g_free (pixels);
+		return NULL;
+	}
+
 	surface = cairo_image_surface_create_for_data (pixels,
 						       CAIRO_FORMAT_RGB24,
 						       width, height,
 						       rowstride);
 	cairo_surface_set_user_data (surface, &key,
 				     pixels, (cairo_destroy_func_t)g_free);
-
-	TIFFReadRGBAImageOriented (tiff_document->tiff,
-				   width, height,
-				   (uint32 *)pixels,
-				   orientation, 0);
 	pop_handlers ();
 
 	/* Convert the format returned by libtiff to
@@ -384,13 +388,17 @@ tiff_document_get_thumbnail (EvDocument      *document,
 	if (!pixels)
 		return NULL;
 	
+	if (!TIFFReadRGBAImageOriented (tiff_document->tiff,
+					width, height,
+					(uint32 *)pixels,
+					ORIENTATION_TOPLEFT, 0)) {
+		g_free (pixels);
+		return NULL;
+	}
+
 	pixbuf = gdk_pixbuf_new_from_data (pixels, GDK_COLORSPACE_RGB, TRUE, 8, 
 					   width, height, rowstride,
 					   (GdkPixbufDestroyNotify) g_free, NULL);
-	TIFFReadRGBAImageOriented (tiff_document->tiff,
-				   width, height,
-				   (uint32 *)pixels,
-				   ORIENTATION_TOPLEFT, 0);
 	pop_handlers ();
 
 	ev_render_context_compute_scaled_size (rc, width, height * (x_res / y_res),
-- 
2.21.0