fix zero size buffer exploit (CVE-2012-4564) in ppm2tiff

This commit is contained in:
Frank Warmerdam 2012-11-02 05:13:24 +00:00
parent 98fc7e047a
commit 37671b36b9
2 changed files with 18 additions and 3 deletions

View File

@ -1,3 +1,9 @@
2012-11-01 Frank Warmerdam <warmerdam@pobox.com>
* tools/ppm2tiff.c: avoid zero size buffer vulnerability.
CVE-2012-4564 - Thanks to Huzaifa Sidhpurwala of the
Red Hat Security Response team for the fix.
2012-10-18 Frank Warmerdam <warmerdam@google.com>
* tif_zip.c: Avoid crash on NULL error messages.

View File

@ -1,4 +1,4 @@
/* $Id: ppm2tiff.c,v 1.16 2010-04-10 19:22:34 bfriesen Exp $ */
/* $Id: ppm2tiff.c,v 1.17 2012-11-02 05:13:24 fwarmerdam Exp $ */
/*
* Copyright (c) 1991-1997 Sam Leffler
@ -89,6 +89,7 @@ main(int argc, char* argv[])
int c;
extern int optind;
extern char* optarg;
tmsize_t scanline_size;
if (argc < 2) {
fprintf(stderr, "%s: Too few arguments\n", argv[0]);
@ -237,8 +238,16 @@ main(int argc, char* argv[])
}
if (TIFFScanlineSize(out) > linebytes)
buf = (unsigned char *)_TIFFmalloc(linebytes);
else
else {
scanline_size = TIFFScanlineSize(out);
if (scanline_size != 0)
buf = (unsigned char *)_TIFFmalloc(TIFFScanlineSize(out));
else {
fprintf(stderr, "%s: scanline size overflow\n",infile);
(void) TIFFClose(out);
exit(-2);
}
}
if (resolution > 0) {
TIFFSetField(out, TIFFTAG_XRESOLUTION, resolution);
TIFFSetField(out, TIFFTAG_YRESOLUTION, resolution);