On Tue, Apr 14, 2026 at 06:02:14PM +0200, Christian Weisgerber wrote:
> Grab upstream fixes for integer overflows that lead to heap overflows.
> One is a fix for CVE-2026-4775.  While looking over the commit history,
> I also noticed another fix that looked worthwhile.  This is a game
> of whack-a-mole ...

I checked the patches carefully and tested build/regress on sparc64.

ok tb

> +                     int tv_size = TIFFFieldSetGetSize(fip);
> +-                    raw_data = _TIFFmallocExt(tif, tv_size * value_count);
> ++                    raw_data = _TIFFCheckMalloc(tif, value_count, tv_size,
> ++                                               "for tag data");

I could not exclude a zero-sized allocation here, but this isn't new.