MFH: r382617

tools/tiffdither.c: check memory allocations to avoid writing to
NULL pointer. Also check multiplication overflow. Fixes #2501,
CVE-2014-8128. Derived from patch by Petr Gajdos.

Reported by:	naddy
Obtained from:	https://github.com/vadz/libtiff/commit/147b2698c84004fe2da93c0fc7177a7c3797533d

2 files changed, 71 insertions, 0 deletions

diff --git a/graphics/tiff/Makefile b/graphics/tiff/Makefile
index e9a7b145998d..ba45f6787fa7 100644
--- a/graphics/tiff/Makefile
+++ b/graphics/tiff/Makefile
@@ -3,6 +3,7 @@
 
 PORTNAME=	tiff
 DISTVERSION=	4.0.4beta
+PORTREVISION=	1
 CATEGORIES=	graphics
 MASTER_SITES=	ftp://ftp.remotesensing.org/pub/libtiff/ \
 		http://download.osgeo.org/libtiff/
diff --git a/graphics/tiff/files/patch-tools_tiffdither.c b/graphics/tiff/files/patch-tools_tiffdither.c
new file mode 100644
index 000000000000..fc8b4d5bb989
--- /dev/null
+++ b/graphics/tiff/files/patch-tools_tiffdither.c
@@ -0,0 +1,70 @@
+--- tools/tiffdither.c.orig	2013-05-02 14:44:29 UTC
++++ tools/tiffdither.c
+@@ -39,6 +39,7 @@
+ #endif
+ 
+ #include "tiffio.h"
++#include "tiffiop.h"
+ 
+ #define	streq(a,b)	(strcmp(a,b) == 0)
+ #define	strneq(a,b,n)	(strncmp(a,b,n) == 0)
+@@ -56,7 +57,7 @@ static	void usage(void);
+  * Floyd-Steinberg error propragation with threshold.
+  * This code is stolen from tiffmedian.
+  */
+-static void
++static int
+ fsdither(TIFF* in, TIFF* out)
+ {
+ 	unsigned char *outline, *inputline, *inptr;
+@@ -68,14 +69,19 @@ fsdither(TIFF* in, TIFF* out)
+ 	int lastline, lastpixel;
+ 	int bit;
+ 	tsize_t outlinesize;
++	int errcode = 0;
+ 
+ 	imax = imagelength - 1;
+ 	jmax = imagewidth - 1;
+ 	inputline = (unsigned char *)_TIFFmalloc(TIFFScanlineSize(in));
+-	thisline = (short *)_TIFFmalloc(imagewidth * sizeof (short));
+-	nextline = (short *)_TIFFmalloc(imagewidth * sizeof (short));
++	thisline = (short *)_TIFFmalloc(TIFFSafeMultiply(tmsize_t, imagewidth, sizeof (short)));
++	nextline = (short *)_TIFFmalloc(TIFFSafeMultiply(tmsize_t, imagewidth, sizeof (short)));
+ 	outlinesize = TIFFScanlineSize(out);
+ 	outline = (unsigned char *) _TIFFmalloc(outlinesize);
++	if (! (inputline && thisline && nextline && outline)) {
++	    fprintf(stderr, "Out of memory.\n");
++	    goto skip_on_error;
++	}
+ 
+ 	/*
+ 	 * Get first line
+@@ -93,7 +99,7 @@ fsdither(TIFF* in, TIFF* out)
+ 		nextline = tmpptr;
+ 		lastline = (i == imax);
+ 		if (TIFFReadScanline(in, inputline, i, 0) <= 0)
+-			break;
++			goto skip_on_error;
+ 		inptr = inputline;
+ 		nextptr = nextline;
+ 		for (j = 0; j < imagewidth; ++j)
+@@ -131,13 +137,18 @@ fsdither(TIFF* in, TIFF* out)
+ 			}
+ 		}
+ 		if (TIFFWriteScanline(out, outline, i-1, 0) < 0)
+-			break;
++			goto skip_on_error;
+ 	}
++	goto exit_label;
++
+   skip_on_error:
++	errcode = 1;
++  exit_label:
+ 	_TIFFfree(inputline);
+ 	_TIFFfree(thisline);
+ 	_TIFFfree(nextline);
+ 	_TIFFfree(outline);
++	return errcode;
+ }
+ 
+ static	uint16 compression = COMPRESSION_PACKBITS;