1 files changed, 56 insertions, 0 deletions

diff --git a/user/atril/CVE-2019-1010006.patch b/user/atril/CVE-2019-1010006.patch
new file mode 100644
index 000000000..ce107d193
--- /dev/null
+++ b/user/atril/CVE-2019-1010006.patch
@@ -0,0 +1,56 @@
+From e02fe9170ad0ac2fd46c75329c4f1d4502d4a362 Mon Sep 17 00:00:00 2001
+From: Jason Crain <jcrain@src.gnome.org>
+Date: Sat, 2 Dec 2017 20:24:33 -0600
+Subject: [PATCH] Fix overflow checks in tiff backend
+
+The overflow checks in tiff_document_render and
+tiff_document_get_thumbnail don't work when optimizations are enabled.
+Change the checks so they don't rely on undefined behavior.
+
+https://bugzilla.gnome.org/show_bug.cgi?id=788980
+---
+ backend/tiff/tiff-document.c | 12 ++++++------
+ 1 file changed, 6 insertions(+), 6 deletions(-)
+
+diff --git a/backend/tiff/tiff-document.c b/backend/tiff/tiff-document.c
+index 8f40934e..7bf95c2b 100644
+--- a/backend/tiff/tiff-document.c
++++ b/backend/tiff/tiff-document.c
+@@ -284,12 +284,12 @@ tiff_document_render (EvDocument      *document,
+ 		return NULL;                
+ 	}
+ 	
+-	bytes = height * rowstride;
+-	if (bytes / rowstride != height) {
++	if (height >= INT_MAX / rowstride) {
+ 		g_warning("Overflow while rendering document.");
+ 		/* overflow */
+ 		return NULL;
+ 	}
++	bytes = height * rowstride;
+ 	
+ 	pixels = g_try_malloc (bytes);
+ 	if (!pixels) {
+@@ -374,15 +374,15 @@ tiff_document_get_thumbnail (EvDocument      *document,
+ 	if (width <= 0 || height <= 0)
+ 		return NULL;                
+ 
+-	rowstride = width * 4;
+-	if (rowstride / 4 != width)
++	if (width >= INT_MAX / 4)
+ 		/* overflow */
+ 		return NULL;                
++	rowstride = width * 4;
+         
+-	bytes = height * rowstride;
+-	if (bytes / rowstride != height)
++	if (height >= INT_MAX / rowstride)
+ 		/* overflow */
+ 		return NULL;                
++	bytes = height * rowstride;
+ 	
+ 	pixels = g_try_malloc (bytes);
+ 	if (!pixels)
+-- 
+2.21.0
+