diff options
author | Even Rouault <even.rouault@spatialys.com> | 2019-08-27 00:02:29 +0200 |
---|---|---|
committer | Even Rouault <even.rouault@spatialys.com> | 2019-08-27 00:02:29 +0200 |
commit | 9034afb44047af9209f76b691ec2de9b5fe9f360 (patch) | |
tree | 59dfbeddac7d5bf2b965c6a74a86bb99fb261999 | |
parent | 244dfb46afb53243e69e691bfb882dfe388237ba (diff) | |
download | libtiff-git-9034afb44047af9209f76b691ec2de9b5fe9f360.tar.gz |
TIFFReadDirEntryData(): rewrite to avoid unsigned integer overflow (not a bug). Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=16792
-rw-r--r-- | libtiff/tif_dirread.c | 12 |
1 files changed, 6 insertions, 6 deletions
diff --git a/libtiff/tif_dirread.c b/libtiff/tif_dirread.c index 467ff840..c5584fe6 100644 --- a/libtiff/tif_dirread.c +++ b/libtiff/tif_dirread.c @@ -3394,13 +3394,13 @@ TIFFReadDirEntryData(TIFF* tif, uint64 offset, tmsize_t size, void* dest) } else { size_t ma,mb; ma=(size_t)offset; + if( (uint64)ma!=offset || + ma > (~(size_t)0) - (size_t)size ) + { + return TIFFReadDirEntryErrIo; + } mb=ma+size; - if (((uint64)ma!=offset) - || (mb < ma) - || (mb - ma != (size_t) size) - || (mb < (size_t)size) - || (mb > (size_t)tif->tif_size) - ) + if (mb > (size_t)tif->tif_size) return(TIFFReadDirEntryErrIo); _TIFFmemcpy(dest,tif->tif_base+ma,size); } |