$NetBSD: patch-ca,v 1.1.2.2 2009/07/19 19:31:37 spz Exp $

Patch for CVE-2009-2347, taken from here:

http://bugzilla.maptools.org/show_bug.cgi?id=2079

--- tools/rgb2ycbcr.c.orig	2004-09-03 08:57:13.000000000 +0100
+++ tools/rgb2ycbcr.c	2009-07-19 12:39:06.000000000 +0100
@@ -202,6 +202,17 @@
 #undef LumaBlue
 #undef V2Code
 
+static tsize_t
+multiply(tsize_t m1, tsize_t m2)
+{
+    tsize_t prod = m1 * m2;
+
+    if (m1 && prod / m1 != m2)
+        prod = 0;		/* overflow */
+
+    return prod;
+}
+
 /*
  * Convert a strip of RGB data to YCbCr and
  * sample to generate the output data.
@@ -278,10 +289,19 @@
 	float floatv;
 	char *stringv;
 	uint32 longv;
+	tsize_t raster_size;
 
 	TIFFGetField(in, TIFFTAG_IMAGEWIDTH, &width);
 	TIFFGetField(in, TIFFTAG_IMAGELENGTH, &height);
-	raster = (uint32*)_TIFFmalloc(width * height * sizeof (uint32));
+
+	raster_size = multiply(multiply(width, height), sizeof (uint32));
+	if (!raster_size) {
+		TIFFError(TIFFFileName(in),
+			  "Can't allocate buffer for raster of size %lux%lu",
+			  (unsigned long) width, (unsigned long) height);
+		return (0);
+	}
+	raster = (uint32*)_TIFFmalloc(raster_size);
 	if (raster == 0) {
 		TIFFError(TIFFFileName(in), "No space for raster buffer");
 		return (0);
