| From 787c0ee906430b772f33ca50b97b8b5ca070faec Mon Sep 17 00:00:00 2001 |
| From: erouault <erouault> |
| Date: Sat, 3 Dec 2016 16:40:01 +0000 |
| Subject: [PATCH] * tools/tiffcp.c: fix uint32 underflow/overflow that can |
| cause heap-based buffer overflow. Reported by Agostino Sarubbo. Fixes |
| http://bugzilla.maptools.org/show_bug.cgi?id=2610 |
| |
| Upstream-Status: Backport |
| CVE: CVE-2016-10093 |
| Signed-off-by: Rajkumar Veer <rveer@mvista.com> |
| |
| --- |
| ChangeLog | 7 +++++++ |
| tools/tiffcp.c | 6 +++--- |
| 2 files changed, 10 insertions(+), 3 deletions(-) |
| |
| Index: tiff-4.0.7/tools/tiffcp.c |
| =================================================================== |
| --- tiff-4.0.7.orig/tools/tiffcp.c |
| +++ tiff-4.0.7/tools/tiffcp.c |
| @@ -1163,7 +1163,7 @@ bad: |
| |
| static void |
| cpStripToTile(uint8* out, uint8* in, |
| - uint32 rows, uint32 cols, int outskew, int inskew) |
| + uint32 rows, uint32 cols, int outskew, int64 inskew) |
| { |
| while (rows-- > 0) { |
| uint32 j = cols; |
| @@ -1320,7 +1320,7 @@ DECLAREreadFunc(readContigTilesIntoBuffe |
| tdata_t tilebuf; |
| uint32 imagew = TIFFScanlineSize(in); |
| uint32 tilew = TIFFTileRowSize(in); |
| - int iskew = imagew - tilew; |
| + int64 iskew = (int64)imagew - (int64)tilew; |
| uint8* bufp = (uint8*) buf; |
| uint32 tw, tl; |
| uint32 row; |
| @@ -1348,7 +1348,7 @@ DECLAREreadFunc(readContigTilesIntoBuffe |
| status = 0; |
| goto done; |
| } |
| - if (colb + tilew > imagew) { |
| + if (colb > iskew) { |
| uint32 width = imagew - colb; |
| uint32 oskew = tilew - width; |
| cpStripToTile(bufp + colb, |