diff options
| author | Even Rouault <even.rouault@spatialys.com> | 2019-08-23 14:54:26 +0200 |
|---|---|---|
| committer | Even Rouault <even.rouault@spatialys.com> | 2019-08-23 14:54:26 +0200 |
| commit | 67f7561e70d2d684b1efd15fffa7a6fb6ed284ab (patch) | |
| tree | b97318e2e211625adc059f17b900578e5e64c96c | |
| parent | ea271d743467d82fb5ede54ffdf4ed05774d3b17 (diff) | |
| download | libtiff-git-67f7561e70d2d684b1efd15fffa7a6fb6ed284ab.tar.gz | |
TIFFFillStrip(): avoid harmless unsigned integer overflow. Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=16653
| -rw-r--r-- | libtiff/tif_read.c | 10 |
1 files changed, 8 insertions, 2 deletions
diff --git a/libtiff/tif_read.c b/libtiff/tif_read.c index c436b0d5..b9e5a932 100644 --- a/libtiff/tif_read.c +++ b/libtiff/tif_read.c @@ -735,6 +735,12 @@ TIFFReadRawStrip(TIFF* tif, uint32 strip, void* buf, tmsize_t size) return (TIFFReadRawStrip1(tif, strip, buf, bytecountm, module)); } +TIFF_NOSANITIZE_UNSIGNED_INT_OVERFLOW +static uint64 NoSantizeSubUInt64(uint64 a, uint64 b) +{ + return a - b; +} + /* * Read the specified strip and setup for decoding. The data buffer is * expanded, as necessary, to hold the strip's data. @@ -818,7 +824,7 @@ TIFFFillStrip(TIFF* tif, uint32 strip) "Read error on strip %lu; " "got %I64u bytes, expected %I64u", (unsigned long) strip, - (unsigned __int64) tif->tif_size - TIFFGetStrileOffset(tif, strip), + (unsigned __int64) NoSantizeSubUInt64(tif->tif_size, TIFFGetStrileOffset(tif, strip)), (unsigned __int64) bytecount); #else TIFFErrorExt(tif->tif_clientdata, module, @@ -826,7 +832,7 @@ TIFFFillStrip(TIFF* tif, uint32 strip) "Read error on strip %lu; " "got %llu bytes, expected %llu", (unsigned long) strip, - (unsigned long long) tif->tif_size - TIFFGetStrileOffset(tif, strip), + (unsigned long long) NoSantizeSubUInt64(tif->tif_size, TIFFGetStrileOffset(tif, strip)), (unsigned long long) bytecount); #endif tif->tif_curstrip = NOSTRIP; |