17 lines
950 B
Diff
17 lines
950 B
Diff
Origin: https://src.fedoraproject.org/rpms/freeimage/blob/f39/f/CVE-2021-40263.patch
|
|
diff -rupN --no-dereference freeimage-svn-r1909-FreeImage-trunk/Source/FreeImage/PluginTIFF.cpp freeimage-svn-r1909-FreeImage-trunk-new/Source/FreeImage/PluginTIFF.cpp
|
|
--- freeimage-svn-r1909-FreeImage-trunk/Source/FreeImage/PluginTIFF.cpp 2023-09-28 19:34:47.713009853 +0200
|
|
+++ freeimage-svn-r1909-FreeImage-trunk-new/Source/FreeImage/PluginTIFF.cpp 2023-09-28 19:34:48.043006563 +0200
|
|
@@ -2081,6 +2081,11 @@ Load(FreeImageIO *io, fi_handle handle,
|
|
uint32 tileRowSize = (uint32)TIFFTileRowSize(tif);
|
|
uint32 imageRowSize = (uint32)TIFFScanlineSize(tif);
|
|
|
|
+ if (width / tileWidth * tileRowSize * 8 > bitspersample * samplesperpixel * width) {
|
|
+ free(tileBuffer);
|
|
+ throw "Corrupted tiled TIFF file";
|
|
+ }
|
|
+
|
|
|
|
// In the tiff file the lines are saved from up to down
|
|
// In a DIB the lines must be saved from down to up
|