Andrew Geissler | 9aee500 | 2022-03-30 16:27:02 +0000 | [diff] [blame] | 1 | CVE: CVE-2022-0907 |
| 2 | Upstream-Status: Backport |
| 3 | Signed-off-by: Ross Burton <ross.burton@arm.com> |
| 4 | |
| 5 | From a139191cc86f4dc44c74a0f22928e0fb38ed2485 Mon Sep 17 00:00:00 2001 |
| 6 | From: Augustus <wangdw.augustus@qq.com> |
| 7 | Date: Mon, 7 Mar 2022 18:21:49 +0800 |
| 8 | Subject: [PATCH 3/6] add checks for return value of limitMalloc (#392) |
| 9 | |
| 10 | --- |
| 11 | tools/tiffcrop.c | 33 +++++++++++++++++++++------------ |
| 12 | 1 file changed, 21 insertions(+), 12 deletions(-) |
| 13 | |
| 14 | diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c |
| 15 | index 302a7e91..e407bf51 100644 |
| 16 | --- a/tools/tiffcrop.c |
| 17 | +++ b/tools/tiffcrop.c |
| 18 | @@ -7357,7 +7357,11 @@ createImageSection(uint32_t sectsize, unsigned char **sect_buff_ptr) |
| 19 | if (!sect_buff) |
| 20 | { |
| 21 | sect_buff = (unsigned char *)limitMalloc(sectsize); |
| 22 | - *sect_buff_ptr = sect_buff; |
| 23 | + if (!sect_buff) |
| 24 | + { |
| 25 | + TIFFError("createImageSection", "Unable to allocate/reallocate section buffer"); |
| 26 | + return (-1); |
| 27 | + } |
| 28 | _TIFFmemset(sect_buff, 0, sectsize); |
| 29 | } |
| 30 | else |
| 31 | @@ -7373,15 +7377,15 @@ createImageSection(uint32_t sectsize, unsigned char **sect_buff_ptr) |
| 32 | else |
| 33 | sect_buff = new_buff; |
| 34 | |
| 35 | + if (!sect_buff) |
| 36 | + { |
| 37 | + TIFFError("createImageSection", "Unable to allocate/reallocate section buffer"); |
| 38 | + return (-1); |
| 39 | + } |
| 40 | _TIFFmemset(sect_buff, 0, sectsize); |
| 41 | } |
| 42 | } |
| 43 | |
| 44 | - if (!sect_buff) |
| 45 | - { |
| 46 | - TIFFError("createImageSection", "Unable to allocate/reallocate section buffer"); |
| 47 | - return (-1); |
| 48 | - } |
| 49 | prev_sectsize = sectsize; |
| 50 | *sect_buff_ptr = sect_buff; |
| 51 | |
| 52 | @@ -7648,7 +7652,11 @@ createCroppedImage(struct image_data *image, struct crop_mask *crop, |
| 53 | if (!crop_buff) |
| 54 | { |
| 55 | crop_buff = (unsigned char *)limitMalloc(cropsize); |
| 56 | - *crop_buff_ptr = crop_buff; |
| 57 | + if (!crop_buff) |
| 58 | + { |
| 59 | + TIFFError("createCroppedImage", "Unable to allocate/reallocate crop buffer"); |
| 60 | + return (-1); |
| 61 | + } |
| 62 | _TIFFmemset(crop_buff, 0, cropsize); |
| 63 | prev_cropsize = cropsize; |
| 64 | } |
| 65 | @@ -7664,15 +7672,15 @@ createCroppedImage(struct image_data *image, struct crop_mask *crop, |
| 66 | } |
| 67 | else |
| 68 | crop_buff = new_buff; |
| 69 | + if (!crop_buff) |
| 70 | + { |
| 71 | + TIFFError("createCroppedImage", "Unable to allocate/reallocate crop buffer"); |
| 72 | + return (-1); |
| 73 | + } |
| 74 | _TIFFmemset(crop_buff, 0, cropsize); |
| 75 | } |
| 76 | } |
| 77 | |
| 78 | - if (!crop_buff) |
| 79 | - { |
| 80 | - TIFFError("createCroppedImage", "Unable to allocate/reallocate crop buffer"); |
| 81 | - return (-1); |
| 82 | - } |
| 83 | *crop_buff_ptr = crop_buff; |
| 84 | |
| 85 | if (crop->crop_mode & CROP_INVERT) |
| 86 | @@ -9231,3 +9239,4 @@ invertImage(uint16_t photometric, uint16_t spp, uint16_t bps, uint32_t width, ui |
| 87 | * fill-column: 78 |
| 88 | * End: |
| 89 | */ |
| 90 | + |
| 91 | -- |
| 92 | 2.25.1 |
| 93 | |