File: 0045-heap-based-buffer-overflow-in-TIFF-coder-alert-from-.patch

package info (click to toggle)
imagemagick 8%3A6.9.11.60%2Bdfsg-1.6%2Bdeb12u3
  • links: PTS, VCS
  • area: main
  • in suites: bookworm
  • size: 76,816 kB
  • sloc: ansic: 349,503; cpp: 21,804; xml: 11,029; perl: 6,417; sh: 5,877; makefile: 3,042; tcl: 459
file content (29 lines) | stat: -rw-r--r-- 1,245 bytes parent folder | download | duplicates (2) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
 
From: Cristy <mikayla-grace@urban-warrior.org>
Date: Mon, 26 Jul 2021 13:38:45 -0400
Subject: heap-based buffer overflow in TIFF coder (alert from Hunter
 Mitchell)

bug: https://github.com/ImageMagick/ImageMagick6/issues/245
origin: https://github.com/ImageMagick/ImageMagick6/commit/f90a091c7dd12cc53b0999bf49d1c80651534eea
---
 coders/tiff.c | 7 +------
 1 file changed, 1 insertion(+), 6 deletions(-)

diff --git a/coders/tiff.c b/coders/tiff.c
index 38badad..c326559 100644
--- a/coders/tiff.c
+++ b/coders/tiff.c
@@ -1972,12 +1972,7 @@ static Image *ReadTIFFImage(const ImageInfo *image_info,
         number_pixels=(MagickSizeType) columns*rows;
         if (HeapOverflowSanityCheck(rows,sizeof(*tile_pixels)) != MagickFalse)
           ThrowTIFFException(ResourceLimitError,"MemoryAllocationFailed");
-        extent=TIFFTileSize(tiff);
-#if defined(TIFF_VERSION_BIG)
-        extent=MagickMax(rows*columns*sizeof(uint64),extent);
-#else
-        extent=MagickMax(rows*columns*sizeof(uint32),extent);
-#endif
+        extent=MagickMax(rows*TIFFTileRowSize(tiff),TIFFTileSize(tiff));
         tile_pixels=(unsigned char *) AcquireQuantumMemory(extent,
           sizeof(*tile_pixels));
         if (tile_pixels == (unsigned char *) NULL)