diff options
| author | Even Rouault <even.rouault@spatialys.com> | 2019-09-03 20:15:41 +0200 |
|---|---|---|
| committer | Even Rouault <even.rouault@spatialys.com> | 2019-09-03 20:15:41 +0200 |
| commit | 3519ab6c7fd9c7b3692a7053d2dac5a8958a6ab2 (patch) | |
| tree | 253c81e7cd0608171eb9a5d873c793baf35c2dbf | |
| parent | 6de57f7e0f7b38a84fef3f7612e23f64bd1f68e6 (diff) | |
| download | libtiff-git-3519ab6c7fd9c7b3692a7053d2dac5a8958a6ab2.tar.gz | |
ByteCountLooksBad and EstimateStripByteCounts: avoid unsigned integer overflows. Fixes https://oss-fuzz.com/testcase-detail/5686156066291712 and https://oss-fuzz.com/testcase-detail/6332499206078464
| -rw-r--r-- | libtiff/tif_dirread.c | 16 |
1 files changed, 13 insertions, 3 deletions
diff --git a/libtiff/tif_dirread.c b/libtiff/tif_dirread.c index 94af0c96..6f909413 100644 --- a/libtiff/tif_dirread.c +++ b/libtiff/tif_dirread.c @@ -3551,9 +3551,17 @@ static int ByteCountLooksBad(TIFF* tif) filesize = TIFFGetFileSize(tif); if( offset <= filesize && bytecount > filesize - offset ) return 1; - if( tif->tif_mode == O_RDONLY && - bytecount < TIFFScanlineSize64(tif) * tif->tif_dir.td_imagelength) - return 1; + if( tif->tif_mode == O_RDONLY ) + { + uint64 scanlinesize = TIFFScanlineSize64(tif); + if( tif->tif_dir.td_imagelength > 0 && + scanlinesize > TIFF_UINT64_MAX / tif->tif_dir.td_imagelength ) + { + return 1; + } + if( bytecount < scanlinesize * tif->tif_dir.td_imagelength) + return 1; + } return 0; } @@ -4573,6 +4581,8 @@ EstimateStripByteCounts(TIFF* tif, TIFFDirEntry* dir, uint16 dircount) * of data in the strip and trim this number back accordingly. */ strip--; + if (td->td_stripoffset_p[strip] > TIFF_UINT64_MAX - td->td_stripbytecount_p[strip]) + return -1; if (td->td_stripoffset_p[strip]+td->td_stripbytecount_p[strip] > filesize) { if( td->td_stripoffset_p[strip] >= filesize ) { /* Not sure what we should in that case... */ |