CVE: CVE-2019-7663 Upstream-Status: Backport Signed-off-by: Ross Burton From c6fc6c1fa895024c86285c58efd6424cf8078f32 Mon Sep 17 00:00:00 2001 From: Thomas Bernard Date: Mon, 11 Feb 2019 10:05:33 +0100 Subject: [PATCH 1/2] check that (Tile Width)*(Samples/Pixel) do no overflow fixes bug 2833 --- tools/tiffcp.c | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/tools/tiffcp.c b/tools/tiffcp.c index 2f406e2d..f0ee2c02 100644 --- a/tools/tiffcp.c +++ b/tools/tiffcp.c @@ -1408,7 +1408,7 @@ DECLAREreadFunc(readSeparateTilesIntoBuffer) int status = 1; uint32 imagew = TIFFRasterScanlineSize(in); uint32 tilew = TIFFTileRowSize(in); - int iskew = imagew - tilew*spp; + int iskew; tsize_t tilesize = TIFFTileSize(in); tdata_t tilebuf; uint8* bufp = (uint8*) buf; @@ -1416,6 +1416,12 @@ DECLAREreadFunc(readSeparateTilesIntoBuffer) uint32 row; uint16 bps = 0, bytes_per_sample; + if (spp > (0x7fffffff / tilew)) + { + TIFFError(TIFFFileName(in), "Error, cannot handle that much samples per tile row (Tile Width * Samples/Pixel)"); + return 0; + } + iskew = imagew - tilew*spp; tilebuf = _TIFFmalloc(tilesize); if (tilebuf == 0) return 0; -- 2.20.1 From da6454aa80b9bb3154dfab4e8b21637de47531e0 Mon Sep 17 00:00:00 2001 From: Thomas Bernard Date: Mon, 11 Feb 2019 21:42:03 +0100 Subject: [PATCH 2/2] tiffcp.c: use INT_MAX --- tools/tiffcp.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/tools/tiffcp.c b/tools/tiffcp.c index f0ee2c02..8c81aa4f 100644 --- a/tools/tiffcp.c +++ b/tools/tiffcp.c @@ -41,6 +41,7 @@ #include #include #include +#include #include @@ -1416,7 +1417,7 @@ DECLAREreadFunc(readSeparateTilesIntoBuffer) uint32 row; uint16 bps = 0, bytes_per_sample; - if (spp > (0x7fffffff / tilew)) + if (spp > (INT_MAX / tilew)) { TIFFError(TIFFFileName(in), "Error, cannot handle that much samples per tile row (Tile Width * Samples/Pixel)"); return 0; -- 2.20.1