| From 40b00cfb32256d377608b4d4cd30fac338d0a0bc Mon Sep 17 00:00:00 2001 |
| From: Augustus <wangdw.augustus@qq.com> |
| Date: Mon, 7 Mar 2022 18:21:49 +0800 |
| Subject: [PATCH] add checks for return value of limitMalloc (#392) |
| |
| CVE: CVE-2022-0907 |
| Upstream-Status: Backport [https://sources.debian.org/src/tiff/4.1.0+git191117-2%7Edeb10u4/debian/patches/CVE-2022-0907.patch/] |
| Signed-off-by: Ranjitsinh Rathod <ranjitsinh.rathod@kpit.com> |
| Comment: No change in any hunk |
| |
| --- |
| tools/tiffcrop.c | 33 +++++++++++++++++++++------------ |
| 1 file changed, 21 insertions(+), 12 deletions(-) |
| |
| diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c |
| index f2e5474a..9b8acc7e 100644 |
| --- a/tools/tiffcrop.c |
| +++ b/tools/tiffcrop.c |
| @@ -7337,7 +7337,11 @@ createImageSection(uint32_t sectsize, unsigned char **sect_buff_ptr) |
| if (!sect_buff) |
| { |
| sect_buff = (unsigned char *)_TIFFmalloc(sectsize); |
| - *sect_buff_ptr = sect_buff; |
| + if (!sect_buff) |
| + { |
| + TIFFError("createImageSection", "Unable to allocate/reallocate section buffer"); |
| + return (-1); |
| + } |
| _TIFFmemset(sect_buff, 0, sectsize); |
| } |
| else |
| @@ -7353,15 +7357,15 @@ createImageSection(uint32_t sectsize, unsigned char **sect_buff_ptr) |
| else |
| sect_buff = new_buff; |
| |
| + if (!sect_buff) |
| + { |
| + TIFFError("createImageSection", "Unable to allocate/reallocate section buffer"); |
| + return (-1); |
| + } |
| _TIFFmemset(sect_buff, 0, sectsize); |
| } |
| } |
| |
| - if (!sect_buff) |
| - { |
| - TIFFError("createImageSection", "Unable to allocate/reallocate section buffer"); |
| - return (-1); |
| - } |
| prev_sectsize = sectsize; |
| *sect_buff_ptr = sect_buff; |
| |
| @@ -7628,7 +7632,11 @@ createCroppedImage(struct image_data *image, struct crop_mask *crop, |
| if (!crop_buff) |
| { |
| crop_buff = (unsigned char *)_TIFFmalloc(cropsize); |
| - *crop_buff_ptr = crop_buff; |
| + if (!crop_buff) |
| + { |
| + TIFFError("createCroppedImage", "Unable to allocate/reallocate crop buffer"); |
| + return (-1); |
| + } |
| _TIFFmemset(crop_buff, 0, cropsize); |
| prev_cropsize = cropsize; |
| } |
| @@ -7644,15 +7652,15 @@ createCroppedImage(struct image_data *image, struct crop_mask *crop, |
| } |
| else |
| crop_buff = new_buff; |
| + if (!crop_buff) |
| + { |
| + TIFFError("createCroppedImage", "Unable to allocate/reallocate crop buffer"); |
| + return (-1); |
| + } |
| _TIFFmemset(crop_buff, 0, cropsize); |
| } |
| } |
| |
| - if (!crop_buff) |
| - { |
| - TIFFError("createCroppedImage", "Unable to allocate/reallocate crop buffer"); |
| - return (-1); |
| - } |
| *crop_buff_ptr = crop_buff; |
| |
| if (crop->crop_mode & CROP_INVERT) |
| @@ -9211,3 +9219,4 @@ invertImage(uint16_t photometric, uint16_t spp, uint16_t bps, uint32_t width, ui |
| * fill-column: 78 |
| * End: |
| */ |
| + |
| -- |
| GitLab |
| |