diff options
author | Even Rouault <even.rouault@spatialys.com> | 2019-08-20 15:29:06 +0200 |
---|---|---|
committer | Even Rouault <even.rouault@spatialys.com> | 2019-08-20 15:29:06 +0200 |
commit | dd50fedc2f660f73615d1aca043ac66de6af4117 (patch) | |
tree | 110a7999b7f4f4a0f15d202d373b29252045525a | |
parent | b04da30e11d11b16281e2c430aa68a0317289ba8 (diff) | |
download | libtiff-git-dd50fedc2f660f73615d1aca043ac66de6af4117.tar.gz |
_TIFFPartialReadStripArray(): avoid triggering unsigned integer overflow with -fsanitize=unsigned-integer-overflow (not a bug, this is well defined by itself)
-rw-r--r-- | libtiff/tif_dirread.c | 9 |
1 files changed, 8 insertions, 1 deletions
diff --git a/libtiff/tif_dirread.c b/libtiff/tif_dirread.c index 3a06ea71..02642057 100644 --- a/libtiff/tif_dirread.c +++ b/libtiff/tif_dirread.c @@ -5958,6 +5958,13 @@ static void TryChopUpUncompressedBigTiff( TIFF* tif ) allocChoppedUpStripArrays(tif, nstrips, stripbytes, rowsperstrip); } + +TIFF_NOSANITIZE_UNSIGNED_INT_OVERFLOW +static uint64 _TIFFUnsanitizedAddUInt64AndInt(uint64 a, int b) +{ + return a + b; +} + /* Read the value of [Strip|Tile]Offset or [Strip|Tile]ByteCount around * strip/tile of number strile. Also fetch the neighbouring values using a * 4096 byte page size. @@ -6059,7 +6066,7 @@ int _TIFFPartialReadStripArray( TIFF* tif, TIFFDirEntry* dirent, iStartBefore = -strile; for( i = iStartBefore; (uint32)(strile + i) < arraySize && - (uint64)(nOffset) + (i + 1) * sizeofvalint <= nOffsetEndPage; + _TIFFUnsanitizedAddUInt64AndInt(nOffset, (i + 1) * sizeofvalint) <= nOffsetEndPage; ++i ) { if( sizeofval == sizeof(uint16) ) |