summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorEven Rouault <even.rouault@spatialys.com>2019-08-27 00:02:29 +0200
committerEven Rouault <even.rouault@spatialys.com>2019-08-27 00:02:29 +0200
commit9034afb44047af9209f76b691ec2de9b5fe9f360 (patch)
tree59dfbeddac7d5bf2b965c6a74a86bb99fb261999
parent244dfb46afb53243e69e691bfb882dfe388237ba (diff)
downloadlibtiff-git-9034afb44047af9209f76b691ec2de9b5fe9f360.tar.gz
TIFFReadDirEntryData(): rewrite to avoid unsigned integer overflow (not a bug). Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=16792
-rw-r--r--libtiff/tif_dirread.c12
1 files changed, 6 insertions, 6 deletions
diff --git a/libtiff/tif_dirread.c b/libtiff/tif_dirread.c
index 467ff840..c5584fe6 100644
--- a/libtiff/tif_dirread.c
+++ b/libtiff/tif_dirread.c
@@ -3394,13 +3394,13 @@ TIFFReadDirEntryData(TIFF* tif, uint64 offset, tmsize_t size, void* dest)
} else {
size_t ma,mb;
ma=(size_t)offset;
+ if( (uint64)ma!=offset ||
+ ma > (~(size_t)0) - (size_t)size )
+ {
+ return TIFFReadDirEntryErrIo;
+ }
mb=ma+size;
- if (((uint64)ma!=offset)
- || (mb < ma)
- || (mb - ma != (size_t) size)
- || (mb < (size_t)size)
- || (mb > (size_t)tif->tif_size)
- )
+ if (mb > (size_t)tif->tif_size)
return(TIFFReadDirEntryErrIo);
_TIFFmemcpy(dest,tif->tif_base+ma,size);
}