Bug 1261 - CVE-2012-4564 libtiff ppm2tiff does not check the return value of the TIFFScanlineSize function
: CVE-2012-4564 libtiff ppm2tiff does not check the return value of the TIFFSca...
Status: RESOLVED FIXED
Product: Desktop Bugs
Classification: ROSA Desktop
Component: -Enter Bugs Here-
: Fresh
: All Linux
: Normal normal
: ---
Assigned To: Desktop Triage Team
: Desktop Triage Team
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2012-12-18 17:55 MSK by Alexander Khryukin
Modified: 2012-12-18 17:57 MSK (History)
0 users

See Also:
RPM Package: libtiff
ISO-related:
Bad POT generating:
Upstream:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Comment 1 Alexander Khryukin 2012-12-18 17:55:53 MSK
Index: tif_pixarlog.c
===================================================================
RCS file: /cvs/maptools/cvsroot/libtiff/libtiff/tif_pixarlog.c,v
retrieving revision 1.36
retrieving revision 1.38
diff -u -r1.36 -r1.38
--- tif_pixarlog.c	24 May 2012 05:25:14 -0000	1.36
+++ tif_pixarlog.c	21 Jun 2012 01:01:53 -0000	1.38
@@ -673,7 +673,7 @@
 				      td->td_rowsperstrip), sizeof(uint16));
 	if (tbuf_size == 0)
 		return (0);   /* TODO: this is an error return without error report through TIFFErrorExt */
-	sp->tbuf = (uint16 *) _TIFFmalloc(tbuf_size);
+	sp->tbuf = (uint16 *) _TIFFmalloc(tbuf_size+sizeof(uint16)*sp->stride);
 	if (sp->tbuf == NULL)
 		return (0);
 	if (sp->user_datafmt == PIXARLOGDATAFMT_UNKNOWN)