From 6a984bf7905c6621281588431f384e79d11a2e33 Mon Sep 17 00:00:00 2001
From: erouault <erouault>
Date: Fri, 4 Nov 2016 09:19:13 +0000
Subject: [PATCH 2/2] Fix CVE-2016-9535
* libtiff/tif_predic.c: fix memory leaks in error code
 paths added in previous commit (fix for MSVR 35105)

CVE: CVE-2016-9535
Upstream-Status: Backport
https://github.com/vadz/libtiff/commit/6a984bf7905c6621281588431f384e79d11a2e33

Signed-off-by: Mingli Yu <Mingli.Yu@windriver.com>

---
 libtiff/tif_predict.c | 8 ++++++--
 1 files changed, 11 insertions(+), 2 deletions(-)

diff --git a/libtiff/tif_predict.c b/libtiff/tif_predict.c
index b829259..3f42f3b 100644
--- a/libtiff/tif_predict.c
+++ b/libtiff/tif_predict.c
@@ -409,7 +409,7 @@ fpAcc(TIFF* tif, uint8* cp0, tmsize_t cc)
 	tmsize_t wc = cc / bps;
 	tmsize_t count = cc;
 	uint8 *cp = (uint8 *) cp0;
-	uint8 *tmp = (uint8 *)_TIFFmalloc(cc);
+	uint8 *tmp;
 
     if(cc%(bps*stride)!=0)
     {
@@ -418,6 +418,7 @@ fpAcc(TIFF* tif, uint8* cp0, tmsize_t cc)
         return 0;
     }
 
+    tmp = (uint8 *)_TIFFmalloc(cc);
 	if (!tmp)
 		return 0;
 
@@ -640,7 +641,7 @@ fpDiff(TIFF* tif, uint8* cp0, tmsize_t cc)
 	tmsize_t wc = cc / bps;
 	tmsize_t count;
 	uint8 *cp = (uint8 *) cp0;
-	uint8 *tmp = (uint8 *)_TIFFmalloc(cc);
+	uint8 *tmp;
 
     if((cc%(bps*stride))!=0)
     {
@@ -648,6 +649,8 @@ fpDiff(TIFF* tif, uint8* cp0, tmsize_t cc)
                      "%s", "(cc%(bps*stride))!=0");
         return 0;
     }
+
+    tmp = (uint8 *)_TIFFmalloc(cc);
 	if (!tmp)
 		return 0;
 
@@ -722,6 +725,7 @@ PredictorEncodeTile(TIFF* tif, uint8* bp0, tmsize_t cc0, uint16 s)
     {
         TIFFErrorExt(tif->tif_clientdata, "PredictorEncodeTile",
                      "%s", "(cc0%rowsize)!=0");
+        _TIFFfree( working_copy );
         return 0;
     }
 	while (cc > 0) {
-- 
2.9.3