diff options
Diffstat (limited to 'meta/recipes-multimedia/libtiff/files/tiff-CVE-2012-4564.patch')
-rw-r--r-- | meta/recipes-multimedia/libtiff/files/tiff-CVE-2012-4564.patch | 99 |
1 files changed, 0 insertions, 99 deletions
diff --git a/meta/recipes-multimedia/libtiff/files/tiff-CVE-2012-4564.patch b/meta/recipes-multimedia/libtiff/files/tiff-CVE-2012-4564.patch deleted file mode 100644 index 23649790c4..0000000000 --- a/meta/recipes-multimedia/libtiff/files/tiff-CVE-2012-4564.patch +++ /dev/null | |||
@@ -1,99 +0,0 @@ | |||
1 | Upstream-Status: Backport | ||
2 | |||
3 | Signed-off-by: Yue Tao <Yue.Tao@windriver.com> | ||
4 | Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com> | ||
5 | |||
6 | Index: tools/ppm2tiff.c | ||
7 | =================================================================== | ||
8 | RCS file: /cvs/maptools/cvsroot/libtiff/tools/ppm2tiff.c,v | ||
9 | retrieving revision 1.16 | ||
10 | retrieving revision 1.18 | ||
11 | diff -u -r1.16 -r1.18 | ||
12 | --- a/tools/ppm2tiff.c 10 Apr 2010 19:22:34 -0000 1.16 | ||
13 | +++ b/tools/ppm2tiff.c 10 Dec 2012 18:19:11 -0000 1.18 | ||
14 | @@ -1,4 +1,4 @@ | ||
15 | -/* $Id: ppm2tiff.c,v 1.16 2010-04-10 19:22:34 bfriesen Exp $ */ | ||
16 | +/* $Id: ppm2tiff.c,v 1.18 2012-12-10 18:19:11 tgl Exp $ */ | ||
17 | |||
18 | /* | ||
19 | * Copyright (c) 1991-1997 Sam Leffler | ||
20 | @@ -72,6 +72,17 @@ | ||
21 | exit(-2); | ||
22 | } | ||
23 | |||
24 | +static tmsize_t | ||
25 | +multiply_ms(tmsize_t m1, tmsize_t m2) | ||
26 | +{ | ||
27 | + tmsize_t bytes = m1 * m2; | ||
28 | + | ||
29 | + if (m1 && bytes / m1 != m2) | ||
30 | + bytes = 0; | ||
31 | + | ||
32 | + return bytes; | ||
33 | +} | ||
34 | + | ||
35 | int | ||
36 | main(int argc, char* argv[]) | ||
37 | { | ||
38 | @@ -79,7 +90,7 @@ | ||
39 | uint32 rowsperstrip = (uint32) -1; | ||
40 | double resolution = -1; | ||
41 | unsigned char *buf = NULL; | ||
42 | - tsize_t linebytes = 0; | ||
43 | + tmsize_t linebytes = 0; | ||
44 | uint16 spp = 1; | ||
45 | uint16 bpp = 8; | ||
46 | TIFF *out; | ||
47 | @@ -89,6 +100,7 @@ | ||
48 | int c; | ||
49 | extern int optind; | ||
50 | extern char* optarg; | ||
51 | + tmsize_t scanline_size; | ||
52 | |||
53 | if (argc < 2) { | ||
54 | fprintf(stderr, "%s: Too few arguments\n", argv[0]); | ||
55 | @@ -221,7 +233,8 @@ | ||
56 | } | ||
57 | switch (bpp) { | ||
58 | case 1: | ||
59 | - linebytes = (spp * w + (8 - 1)) / 8; | ||
60 | + /* if round-up overflows, result will be zero, OK */ | ||
61 | + linebytes = (multiply_ms(spp, w) + (8 - 1)) / 8; | ||
62 | if (rowsperstrip == (uint32) -1) { | ||
63 | TIFFSetField(out, TIFFTAG_ROWSPERSTRIP, h); | ||
64 | } else { | ||
65 | @@ -230,15 +243,31 @@ | ||
66 | } | ||
67 | break; | ||
68 | case 8: | ||
69 | - linebytes = spp * w; | ||
70 | + linebytes = multiply_ms(spp, w); | ||
71 | TIFFSetField(out, TIFFTAG_ROWSPERSTRIP, | ||
72 | TIFFDefaultStripSize(out, rowsperstrip)); | ||
73 | break; | ||
74 | } | ||
75 | - if (TIFFScanlineSize(out) > linebytes) | ||
76 | + if (linebytes == 0) { | ||
77 | + fprintf(stderr, "%s: scanline size overflow\n", infile); | ||
78 | + (void) TIFFClose(out); | ||
79 | + exit(-2); | ||
80 | + } | ||
81 | + scanline_size = TIFFScanlineSize(out); | ||
82 | + if (scanline_size == 0) { | ||
83 | + /* overflow - TIFFScanlineSize already printed a message */ | ||
84 | + (void) TIFFClose(out); | ||
85 | + exit(-2); | ||
86 | + } | ||
87 | + if (scanline_size < linebytes) | ||
88 | buf = (unsigned char *)_TIFFmalloc(linebytes); | ||
89 | else | ||
90 | - buf = (unsigned char *)_TIFFmalloc(TIFFScanlineSize(out)); | ||
91 | + buf = (unsigned char *)_TIFFmalloc(scanline_size); | ||
92 | + if (buf == NULL) { | ||
93 | + fprintf(stderr, "%s: Not enough memory\n", infile); | ||
94 | + (void) TIFFClose(out); | ||
95 | + exit(-2); | ||
96 | + } | ||
97 | if (resolution > 0) { | ||
98 | TIFFSetField(out, TIFFTAG_XRESOLUTION, resolution); | ||
99 | TIFFSetField(out, TIFFTAG_YRESOLUTION, resolution); | ||