Backport of the following, since it did not apply due to whitespace /
formatting
From bd4ce9171fef52720e74ffeeeeca3b0c5b5d4808 Mon Sep 17 00:00:00 2001
From: Victor Kareh <vkareh@redhat.com>
Date: Sun, 11 Aug 2019 05:20:09 +0300
Subject: [PATCH] tiff: Handle failure from TIFFReadRGBAImageOriented
The TIFFReadRGBAImageOriented function returns zero if it was unable to
read the image. Return NULL in this case instead of displaying
uninitialized memory.
This addresses CVE-2019-11459
upstream commit:
https://gitlab.gnome.org/GNOME/evince/commit/234f034a4
---
--- atril-1.22.1/backend/tiff/tiff-document.c
+++ atril-1.22.1/backend/tiff/tiff-document.c
@@ -282,17 +282,21 @@ tiff_document_render (EvDocument *d
return NULL;
}
+ if (!TIFFReadRGBAImageOriented (tiff_document->tiff,
+ width, height,
+ (uint32 *)pixels,
+ orientation, 0)) {
+ g_warning ("Failed to read TIFF image.");
+ g_free (pixels);
+ return NULL;
+ }
+
surface = cairo_image_surface_create_for_data (pixels,
CAIRO_FORMAT_RGB24,
width, height,
rowstride);
cairo_surface_set_user_data (surface, &key,
pixels, (cairo_destroy_func_t)g_free);
-
- TIFFReadRGBAImageOriented (tiff_document->tiff,
- width, height,
- (uint32 *)pixels,
- orientation, 0);
pop_handlers ();
/* Convert the format returned by libtiff to
@@ -373,13 +377,17 @@ tiff_document_render_pixbuf (EvDocument
if (!pixels)
return NULL;
+ if (!TIFFReadRGBAImageOriented (tiff_document->tiff,
+ width, height,
+ (uint32 *)pixels,
+ ORIENTATION_TOPLEFT, 0)) {
+ g_free (pixels);
+ return NULL;
+ }
+
pixbuf = gdk_pixbuf_new_from_data (pixels, GDK_COLORSPACE_RGB, TRUE, 8,
width, height, rowstride,
(GdkPixbufDestroyNotify) g_free, NULL);
- TIFFReadRGBAImageOriented (tiff_document->tiff,
- width, height,
- (uint32 *)pixels,
- ORIENTATION_TOPLEFT, 0);
pop_handlers ();
scaled_pixbuf = gdk_pixbuf_scale_simple (pixbuf,
