File: 0044-heap-based-buffer-overflow-in-TIFF-coder-alert-from-.patch

package info (click to toggle)
imagemagick 8%3A6.9.11.60%2Bdfsg-1.6%2Bdeb12u3
  • links: PTS, VCS
  • area: main
  • in suites: bookworm
  • size: 76,816 kB
  • sloc: ansic: 349,503; cpp: 21,804; xml: 11,029; perl: 6,417; sh: 5,877; makefile: 3,042; tcl: 459
file content (27 lines) | stat: -rw-r--r-- 1,065 bytes parent folder | download | duplicates (2) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
 
From: Cristy <mikayla-grace@urban-warrior.org>
Date: Mon, 26 Jul 2021 13:26:21 -0400
Subject: heap-based buffer overflow in TIFF coder (alert from Hunter
 Mitchell)

origin:  https://github.com/ImageMagick/ImageMagick6/commit/35b88c9166bc1b3ce8893f52217bae00d8e2c532
bug: https://github.com/ImageMagick/ImageMagick6/issues/245
---
 coders/tiff.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/coders/tiff.c b/coders/tiff.c
index 8d552fc..38badad 100644
--- a/coders/tiff.c
+++ b/coders/tiff.c
@@ -1974,9 +1974,9 @@ static Image *ReadTIFFImage(const ImageInfo *image_info,
           ThrowTIFFException(ResourceLimitError,"MemoryAllocationFailed");
         extent=TIFFTileSize(tiff);
 #if defined(TIFF_VERSION_BIG)
-        extent+=columns*sizeof(uint64);
+        extent=MagickMax(rows*columns*sizeof(uint64),extent);
 #else
-        extent+=columns*sizeof(uint32);
+        extent=MagickMax(rows*columns*sizeof(uint32),extent);
 #endif
         tile_pixels=(unsigned char *) AcquireQuantumMemory(extent,
           sizeof(*tile_pixels));