1 |
ssuominen 12/04/06 17:39:21 |
2 |
|
3 |
Added: tiff-4.0.1-CVE-2012-1173.patch |
4 |
tiff-3.9.5-CVE-2012-1173.patch |
5 |
Log: |
6 |
Upstream patch for CVE-2012-1173 wrt #410931 by Agostino Sarubbo |
7 |
|
8 |
(Portage version: 2.2.0_alpha99/cvs/Linux x86_64) |
9 |
|
10 |
Revision Changes Path |
11 |
1.1 media-libs/tiff/files/tiff-4.0.1-CVE-2012-1173.patch |
12 |
|
13 |
file : http://sources.gentoo.org/viewvc.cgi/gentoo-x86/media-libs/tiff/files/tiff-4.0.1-CVE-2012-1173.patch?rev=1.1&view=markup |
14 |
plain: http://sources.gentoo.org/viewvc.cgi/gentoo-x86/media-libs/tiff/files/tiff-4.0.1-CVE-2012-1173.patch?rev=1.1&content-type=text/plain |
15 |
|
16 |
Index: tiff-4.0.1-CVE-2012-1173.patch |
17 |
=================================================================== |
18 |
Index: ChangeLog |
19 |
=================================================================== |
20 |
RCS file: /cvs/maptools/cvsroot/libtiff/ChangeLog,v |
21 |
retrieving revision 1.877 |
22 |
diff -r1.877 ChangeLog |
23 |
0a1,5 |
24 |
> 2012-03-30 Frank Warmerdam <warmerdam@××××××.com> |
25 |
> |
26 |
> * tif_getimage.c: Fix size overflow (zdi-can-1221,CVE-2012-1173) |
27 |
> care of Tom Lane @ Red Hat. |
28 |
> |
29 |
Index: libtiff/tif_getimage.c |
30 |
=================================================================== |
31 |
RCS file: /cvs/maptools/cvsroot/libtiff/libtiff/tif_getimage.c,v |
32 |
retrieving revision 1.78 |
33 |
diff -r1.78 tif_getimage.c |
34 |
694a695 |
35 |
> tmsize_t bufsize; |
36 |
702c703,708 |
37 |
< buf = (unsigned char*) _TIFFmalloc((alpha?4:3)*tilesize); |
38 |
--- |
39 |
> bufsize = TIFFSafeMultiply(tmsize_t,alpha?4:3,tilesize); |
40 |
> if (bufsize == 0) { |
41 |
> TIFFErrorExt(tif->tif_clientdata, TIFFFileName(tif), "Integer overflow in %s", "gtTileSeparate"); |
42 |
> return (0); |
43 |
> } |
44 |
> buf = (unsigned char*) _TIFFmalloc(bufsize); |
45 |
707c713 |
46 |
< _TIFFmemset(buf, 0, (alpha?4:3)*tilesize); |
47 |
--- |
48 |
> _TIFFmemset(buf, 0, bufsize); |
49 |
919a926 |
50 |
> tmsize_t bufsize; |
51 |
925c932,937 |
52 |
< p0 = buf = (unsigned char *)_TIFFmalloc((alpha?4:3)*stripsize); |
53 |
--- |
54 |
> bufsize = TIFFSafeMultiply(tmsize_t,alpha?4:3,stripsize); |
55 |
> if (bufsize == 0) { |
56 |
> TIFFErrorExt(tif->tif_clientdata, TIFFFileName(tif), "Integer overflow in %s", "gtStripSeparate"); |
57 |
> return (0); |
58 |
> } |
59 |
> p0 = buf = (unsigned char *)_TIFFmalloc(bufsize); |
60 |
930c942 |
61 |
< _TIFFmemset(buf, 0, (alpha?4:3)*stripsize); |
62 |
--- |
63 |
> _TIFFmemset(buf, 0, bufsize); |
64 |
Index: libtiff/tiffiop.h |
65 |
=================================================================== |
66 |
RCS file: /cvs/maptools/cvsroot/libtiff/libtiff/tiffiop.h,v |
67 |
retrieving revision 1.82 |
68 |
diff -r1.82 tiffiop.h |
69 |
253c253 |
70 |
< #define TIFFSafeMultiply(t,v,m) ((((t)m != (t)0) && (((t)((v*m)/m)) == (t)v)) ? (t)(v*m) : (t)0) |
71 |
--- |
72 |
> #define TIFFSafeMultiply(t,v,m) ((((t)(m) != (t)0) && (((t)(((v)*(m))/(m))) == (t)(v))) ? (t)((v)*(m)) : (t)0) |
73 |
|
74 |
|
75 |
|
76 |
1.1 media-libs/tiff/files/tiff-3.9.5-CVE-2012-1173.patch |
77 |
|
78 |
file : http://sources.gentoo.org/viewvc.cgi/gentoo-x86/media-libs/tiff/files/tiff-3.9.5-CVE-2012-1173.patch?rev=1.1&view=markup |
79 |
plain: http://sources.gentoo.org/viewvc.cgi/gentoo-x86/media-libs/tiff/files/tiff-3.9.5-CVE-2012-1173.patch?rev=1.1&content-type=text/plain |
80 |
|
81 |
Index: tiff-3.9.5-CVE-2012-1173.patch |
82 |
=================================================================== |
83 |
Index: ChangeLog |
84 |
=================================================================== |
85 |
RCS file: /cvs/maptools/cvsroot/libtiff/ChangeLog,v |
86 |
retrieving revision 1.602.2.141 |
87 |
diff -r1.602.2.141 ChangeLog |
88 |
0a1,6 |
89 |
> 2012-03-30 Frank Warmerdam <warmerdam@××××××.com> |
90 |
> |
91 |
> * tif_getimage.c: Fix size overflow (zdi-can-1221,CVE-2012-1173) |
92 |
> care of Tom Lane @ Red Hat. |
93 |
> |
94 |
> |
95 |
Index: libtiff/tif_getimage.c |
96 |
=================================================================== |
97 |
RCS file: /cvs/maptools/cvsroot/libtiff/libtiff/tif_getimage.c,v |
98 |
retrieving revision 1.63.2.6 |
99 |
diff -r1.63.2.6 tif_getimage.c |
100 |
675a676 |
101 |
> tsize_t bufsize; |
102 |
682c683,688 |
103 |
< buf = (unsigned char*) _TIFFmalloc((alpha?4:3)*tilesize); |
104 |
--- |
105 |
> bufsize = TIFFSafeMultiply(tsize_t,alpha?4:3,tilesize); |
106 |
> if (bufsize == 0) { |
107 |
> TIFFErrorExt(tif->tif_clientdata, TIFFFileName(tif), "Integer overflow in %s", "gtTileSeparate"); |
108 |
> return (0); |
109 |
> } |
110 |
> buf = (unsigned char*) _TIFFmalloc(bufsize); |
111 |
687c693 |
112 |
< _TIFFmemset(buf, 0, (alpha?4:3)*tilesize); |
113 |
--- |
114 |
> _TIFFmemset(buf, 0, bufsize); |
115 |
882a889 |
116 |
> tsize_t bufsize; |
117 |
888c895,900 |
118 |
< p0 = buf = (unsigned char *)_TIFFmalloc((alpha?4:3)*stripsize); |
119 |
--- |
120 |
> bufsize = TIFFSafeMultiply(tsize_t,alpha?4:3,stripsize); |
121 |
> if (bufsize == 0) { |
122 |
> TIFFErrorExt(tif->tif_clientdata, TIFFFileName(tif), "Integer overflow in %s", "gtStripSeparate"); |
123 |
> return (0); |
124 |
> } |
125 |
> p0 = buf = (unsigned char *)_TIFFmalloc(bufsize); |
126 |
893c905 |
127 |
< _TIFFmemset(buf, 0, (alpha?4:3)*stripsize); |
128 |
--- |
129 |
> _TIFFmemset(buf, 0, bufsize); |
130 |
Index: libtiff/tiffiop.h |
131 |
=================================================================== |
132 |
RCS file: /cvs/maptools/cvsroot/libtiff/libtiff/tiffiop.h,v |
133 |
retrieving revision 1.51.2.7 |
134 |
diff -r1.51.2.7 tiffiop.h |
135 |
249c249 |
136 |
< #define TIFFSafeMultiply(t,v,m) ((((t)m != (t)0) && (((t)((v*m)/m)) == (t)v)) ? (t)(v*m) : (t)0) |
137 |
--- |
138 |
> #define TIFFSafeMultiply(t,v,m) ((((t)(m) != (t)0) && (((t)(((v)*(m))/(m))) == (t)(v))) ? (t)((v)*(m)) : (t)0) |