[Triage-desktop] [Bug 1261] CVE-2012-4564 libtiff ppm2tiff does not check the return value of the TIFFScanlineSize function

bugzilla-daemon bugzilla-daemon at rosalab.ru
Tue Dec 18 17:55:53 MSK 2012


http://bugs.rosalinux.ru/show_bug.cgi?id=1261

--- Comment #1 from Alexander Khryukin <alexander.hryukin at rosalab.ru> ---
Index: tif_pixarlog.c
===================================================================
RCS file: /cvs/maptools/cvsroot/libtiff/libtiff/tif_pixarlog.c,v
retrieving revision 1.36
retrieving revision 1.38
diff -u -r1.36 -r1.38
--- tif_pixarlog.c    24 May 2012 05:25:14 -0000    1.36
+++ tif_pixarlog.c    21 Jun 2012 01:01:53 -0000    1.38
@@ -673,7 +673,7 @@
                       td->td_rowsperstrip), sizeof(uint16));
     if (tbuf_size == 0)
         return (0);   /* TODO: this is an error return without error report
through TIFFErrorExt */
-    sp->tbuf = (uint16 *) _TIFFmalloc(tbuf_size);
+    sp->tbuf = (uint16 *) _TIFFmalloc(tbuf_size+sizeof(uint16)*sp->stride);
     if (sp->tbuf == NULL)
         return (0);
     if (sp->user_datafmt == PIXARLOGDATAFMT_UNKNOWN)

-- 
You are receiving this mail because:
You are the QA Contact for the bug.
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.rosalab.ru/pipermail/triage-desktop/attachments/20121218/0d6cd75c/attachment.html>


More information about the Triage-desktop mailing list