mirror of
https://git.in.rschanz.org/ryan77627/guix.git
synced 2024-12-29 07:42:23 -05:00
8e28d22c91
* gnu/packages/patches/libtiff-CVE-2012-4564.patch, gnu/packages/patches/libtiff-CVE-2013-1960.patch, gnu/packages/patches/libtiff-CVE-2013-1961.patch, gnu/packages/patches/libtiff-CVE-2013-4231.patch, gnu/packages/patches/libtiff-CVE-2013-4232.patch, gnu/packages/patches/libtiff-CVE-2013-4243.patch, gnu/packages/patches/libtiff-CVE-2013-4244.patch, gnu/packages/patches/libtiff-CVE-2014-8127-pt1.patch, gnu/packages/patches/libtiff-CVE-2014-8127-pt2.patch, gnu/packages/patches/libtiff-CVE-2014-8127-pt3.patch, gnu/packages/patches/libtiff-CVE-2014-8127-pt4.patch, gnu/packages/patches/libtiff-CVE-2014-8128-pt1.patch, gnu/packages/patches/libtiff-CVE-2014-8128-pt2.patch, gnu/packages/patches/libtiff-CVE-2014-8128-pt3.patch, gnu/packages/patches/libtiff-CVE-2014-8128-pt4.patch, gnu/packages/patches/libtiff-CVE-2014-8128-pt5.patch, gnu/packages/patches/libtiff-CVE-2014-8129.patch, gnu/packages/patches/libtiff-CVE-2014-9330.patch, gnu/packages/patches/libtiff-CVE-2014-9655.patch: New files. * gnu-system.am (dist_patch_DATA): Add them. * gnu/packages/image.scm (libtiff)[source]: Add patches.
47 lines
1.5 KiB
Diff
47 lines
1.5 KiB
Diff
Copied from Debian
|
|
|
|
Description: CVE-2014-9330
|
|
Integer overflow in bmp2tiff
|
|
Origin: upstream, http://bugzilla.maptools.org/show_bug.cgi?id=2494
|
|
Bug: http://bugzilla.maptools.org/show_bug.cgi?id=2494
|
|
Bug-Debian: http://bugs.debian.org/773987
|
|
|
|
Index: tiff/tools/bmp2tiff.c
|
|
===================================================================
|
|
--- tiff.orig/tools/bmp2tiff.c
|
|
+++ tiff/tools/bmp2tiff.c
|
|
@@ -1,4 +1,4 @@
|
|
-/* $Id: bmp2tiff.c,v 1.23 2010-03-10 18:56:49 bfriesen Exp $
|
|
+/* $Id: bmp2tiff.c,v 1.24 2014-12-21 15:15:32 erouault Exp $
|
|
*
|
|
* Project: libtiff tools
|
|
* Purpose: Convert Windows BMP files in TIFF.
|
|
@@ -403,6 +403,13 @@ main(int argc, char* argv[])
|
|
|
|
width = info_hdr.iWidth;
|
|
length = (info_hdr.iHeight > 0) ? info_hdr.iHeight : -info_hdr.iHeight;
|
|
+ if( width <= 0 || length <= 0 )
|
|
+ {
|
|
+ TIFFError(infilename,
|
|
+ "Invalid dimensions of BMP file" );
|
|
+ close(fd);
|
|
+ return -1;
|
|
+ }
|
|
|
|
switch (info_hdr.iBitCount)
|
|
{
|
|
@@ -593,6 +600,14 @@ main(int argc, char* argv[])
|
|
|
|
compr_size = file_hdr.iSize - file_hdr.iOffBits;
|
|
uncompr_size = width * length;
|
|
+ /* Detect int overflow */
|
|
+ if( uncompr_size / width != length )
|
|
+ {
|
|
+ TIFFError(infilename,
|
|
+ "Invalid dimensions of BMP file" );
|
|
+ close(fd);
|
|
+ return -1;
|
|
+ }
|
|
comprbuf = (unsigned char *) _TIFFmalloc( compr_size );
|
|
if (!comprbuf) {
|
|
TIFFError(infilename,
|