Line 0
Link Here
|
|
|
1 |
CVE-2016-5875(, dup?) |
2 |
https://marc.info/?l=oss-security&m=146720235906569&w=2 |
3 |
|
4 |
--- libtiff/tif_pixarlog.c.orig Sat Aug 29 00:16:22 2015 |
5 |
+++ libtiff/tif_pixarlog.c Fri Jul 1 13:04:52 2016 |
6 |
@@ -457,6 +457,7 @@ horizontalAccumulate8abgr(uint16 *wp, int n, int strid |
7 |
typedef struct { |
8 |
TIFFPredictorState predict; |
9 |
z_stream stream; |
10 |
+ tmsize_t tbuf_size; /* only set/used on reading for now */ |
11 |
uint16 *tbuf; |
12 |
uint16 stride; |
13 |
int state; |
14 |
@@ -692,6 +693,7 @@ PixarLogSetupDecode(TIFF* tif) |
15 |
sp->tbuf = (uint16 *) _TIFFmalloc(tbuf_size); |
16 |
if (sp->tbuf == NULL) |
17 |
return (0); |
18 |
+ sp->tbuf_size = tbuf_size; |
19 |
if (sp->user_datafmt == PIXARLOGDATAFMT_UNKNOWN) |
20 |
sp->user_datafmt = PixarLogGuessDataFmt(td); |
21 |
if (sp->user_datafmt == PIXARLOGDATAFMT_UNKNOWN) { |
22 |
@@ -779,6 +781,12 @@ PixarLogDecode(TIFF* tif, uint8* op, tmsize_t occ, uin |
23 |
if (sp->stream.avail_out != nsamples * sizeof(uint16)) |
24 |
{ |
25 |
TIFFErrorExt(tif->tif_clientdata, module, "ZLib cannot deal with buffers this size"); |
26 |
+ return (0); |
27 |
+ } |
28 |
+ /* Check that we will not fill more than what was allocated */ |
29 |
+ if (sp->stream.avail_out > sp->tbuf_size) |
30 |
+ { |
31 |
+ TIFFErrorExt(tif->tif_clientdata, module, "sp->stream.avail_out > sp->tbuf_size"); |
32 |
return (0); |
33 |
} |
34 |
do { |