Upstream patch for bug #601274 (CVE-2010-2065)
diff -Naur tiff-3.8.2.orig/libtiff/tif_read.c tiff-3.8.2/libtiff/tif_read.c
--- tiff-3.8.2.orig/libtiff/tif_read.c 2005-12-21 07:33:56.000000000 -0500
+++ tiff-3.8.2/libtiff/tif_read.c 2010-06-13 16:04:13.000000000 -0400
@@ -525,16 +525,18 @@
_TIFFfree(tif->tif_rawdata);
tif->tif_rawdata = NULL;
}
+
if (bp) {
tif->tif_rawdatasize = size;
tif->tif_rawdata = (tidata_t) bp;
tif->tif_flags &= ~TIFF_MYBUFFER;
} else {
tif->tif_rawdatasize = TIFFroundup(size, 1024);
- tif->tif_rawdata = (tidata_t) _TIFFmalloc(tif->tif_rawdatasize);
+ if (tif->tif_rawdatasize > 0)
+ tif->tif_rawdata = (tidata_t) _TIFFmalloc(tif->tif_rawdatasize);
tif->tif_flags |= TIFF_MYBUFFER;
}
- if (tif->tif_rawdata == NULL) {
+ if ((tif->tif_rawdata == NULL) || (tif->tif_rawdatasize == 0)) {
TIFFErrorExt(tif->tif_clientdata, module,
"%s: No space for data buffer at scanline %ld",
tif->tif_name, (long) tif->tif_row);