| From c8d613ef497058fe653c467fc84c70a62a4a71b2 Mon Sep 17 00:00:00 2001 |
| From: Thomas Bernard <miniupnp@free.fr> |
| Date: Tue, 10 Nov 2020 01:54:30 +0100 |
| Subject: [PATCH] gtTileContig(): check Tile width for overflow |
| |
| fixes #211 |
| |
| Upstream-Status: Backport [ https://gitlab.com/libtiff/libtiff/-/commit/c8d613ef497058fe653c467fc84c70a62a4a71b2 ] |
| CVE: CVE-2020-35523 |
| Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com> |
| --- |
| libtiff/tif_getimage.c | 17 +++++++++++++---- |
| 1 file changed, 13 insertions(+), 4 deletions(-) |
| |
| diff --git a/libtiff/tif_getimage.c b/libtiff/tif_getimage.c |
| index 4da785d3..96ab1460 100644 |
| --- a/libtiff/tif_getimage.c |
| +++ b/libtiff/tif_getimage.c |
| @@ -29,6 +29,7 @@ |
| */ |
| #include "tiffiop.h" |
| #include <stdio.h> |
| +#include <limits.h> |
| |
| static int gtTileContig(TIFFRGBAImage*, uint32*, uint32, uint32); |
| static int gtTileSeparate(TIFFRGBAImage*, uint32*, uint32, uint32); |
| @@ -645,12 +646,20 @@ gtTileContig(TIFFRGBAImage* img, uint32* raster, uint32 w, uint32 h) |
| |
| flip = setorientation(img); |
| if (flip & FLIP_VERTICALLY) { |
| - y = h - 1; |
| - toskew = -(int32)(tw + w); |
| + if ((tw + w) > INT_MAX) { |
| + TIFFErrorExt(tif->tif_clientdata, TIFFFileName(tif), "%s", "unsupported tile size (too wide)"); |
| + return (0); |
| + } |
| + y = h - 1; |
| + toskew = -(int32)(tw + w); |
| } |
| else { |
| - y = 0; |
| - toskew = -(int32)(tw - w); |
| + if (tw > (INT_MAX + w)) { |
| + TIFFErrorExt(tif->tif_clientdata, TIFFFileName(tif), "%s", "unsupported tile size (too wide)"); |
| + return (0); |
| + } |
| + y = 0; |
| + toskew = -(int32)(tw - w); |
| } |
| |
| /* |
| -- |
| GitLab |
| |
| |