37 lines
1.1 KiB
Text
37 lines
1.1 KiB
Text
$NetBSD: patch-bb,v 1.2 2010/02/16 17:38:14 taca Exp $
|
|
|
|
deal with CVE-2009-2369.
|
|
|
|
--- src/common/imagtiff.cpp.orig 2009-03-06 13:17:40.000000000 +0100
|
|
+++ src/common/imagtiff.cpp
|
|
@@ -261,7 +261,6 @@ bool wxTIFFHandler::LoadFile( wxImage *i
|
|
}
|
|
|
|
uint32 w, h;
|
|
- uint32 npixels;
|
|
uint32 *raster;
|
|
|
|
TIFFGetField( tif, TIFFTAG_IMAGEWIDTH, &w );
|
|
@@ -275,9 +274,20 @@ bool wxTIFFHandler::LoadFile( wxImage *i
|
|
(samplesInfo[0] == EXTRASAMPLE_ASSOCALPHA ||
|
|
samplesInfo[0] == EXTRASAMPLE_UNASSALPHA));
|
|
|
|
- npixels = w * h;
|
|
+ // guard against integer overflow during multiplication which could result
|
|
+ // in allocating a too small buffer and then overflowing it
|
|
+ const double bytesNeeded = (double)w * (double)h * sizeof(uint32);
|
|
+ if ( bytesNeeded >= 4294967295U /* UINT32_MAX */ )
|
|
+ {
|
|
+ if ( verbose )
|
|
+ wxLogError( _("TIFF: Image size is abnormally big.") );
|
|
+
|
|
+ TIFFClose(tif);
|
|
+
|
|
+ return false;
|
|
+ }
|
|
|
|
- raster = (uint32*) _TIFFmalloc( npixels * sizeof(uint32) );
|
|
+ raster = (uint32*) _TIFFmalloc( bytesNeeded );
|
|
|
|
if (!raster)
|
|
{
|