1commit 14ffb69a5892fcfff6c72e73af74565467ab6ae9 2Author: Even Rouault <even.rouault@spatialys.com> 3Date: Wed Aug 15 16:34:40 2018 +0200 4 5 TIFFSetupStrips(): avoid potential uint32 overflow on 32-bit systems with large number of strips. Probably relates to http://bugzilla.maptools.org/show_bug.cgi?id=2788 / CVE-2018-10779 6 7diff --git a/libtiff/tif_write.c b/libtiff/tif_write.c 8index 4c216ec..208a2ee 100644 9--- a/libtiff/tif_write.c 10+++ b/libtiff/tif_write.c 11@@ -540,9 +540,11 @@ TIFFSetupStrips(TIFF* tif) 12 if (td->td_planarconfig == PLANARCONFIG_SEPARATE) 13 td->td_stripsperimage /= td->td_samplesperpixel; 14 td->td_stripoffset = (uint64 *) 15- _TIFFmalloc(td->td_nstrips * sizeof (uint64)); 16+ _TIFFCheckMalloc(tif, td->td_nstrips, sizeof (uint64), 17+ "for \"StripOffsets\" array"); 18 td->td_stripbytecount = (uint64 *) 19- _TIFFmalloc(td->td_nstrips * sizeof (uint64)); 20+ _TIFFCheckMalloc(tif, td->td_nstrips, sizeof (uint64), 21+ "for \"StripByteCounts\" array"); 22 if (td->td_stripoffset == NULL || td->td_stripbytecount == NULL) 23 return (0); 24 /* 25