summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorEven Rouault <even.rouault@spatialys.com>2019-08-20 13:29:06 (GMT)
committerEven Rouault <even.rouault@spatialys.com>2019-08-20 13:29:06 (GMT)
commitdd50fedc2f660f73615d1aca043ac66de6af4117 (patch)
tree110a7999b7f4f4a0f15d202d373b29252045525a
parentb04da30e11d11b16281e2c430aa68a0317289ba8 (diff)
downloadlibtiff-git-dd50fedc2f660f73615d1aca043ac66de6af4117.tar.gz
_TIFFPartialReadStripArray(): avoid triggering unsigned integer overflow with -fsanitize=unsigned-integer-overflow (not a bug, this is well defined by itself)
-rw-r--r--libtiff/tif_dirread.c9
1 files changed, 8 insertions, 1 deletions
diff --git a/libtiff/tif_dirread.c b/libtiff/tif_dirread.c
index 3a06ea7..0264205 100644
--- a/libtiff/tif_dirread.c
+++ b/libtiff/tif_dirread.c
@@ -5958,6 +5958,13 @@ static void TryChopUpUncompressedBigTiff( TIFF* tif )
allocChoppedUpStripArrays(tif, nstrips, stripbytes, rowsperstrip);
}
+
+TIFF_NOSANITIZE_UNSIGNED_INT_OVERFLOW
+static uint64 _TIFFUnsanitizedAddUInt64AndInt(uint64 a, int b)
+{
+ return a + b;
+}
+
/* Read the value of [Strip|Tile]Offset or [Strip|Tile]ByteCount around
* strip/tile of number strile. Also fetch the neighbouring values using a
* 4096 byte page size.
@@ -6059,7 +6066,7 @@ int _TIFFPartialReadStripArray( TIFF* tif, TIFFDirEntry* dirent,
iStartBefore = -strile;
for( i = iStartBefore;
(uint32)(strile + i) < arraySize &&
- (uint64)(nOffset) + (i + 1) * sizeofvalint <= nOffsetEndPage;
+ _TIFFUnsanitizedAddUInt64AndInt(nOffset, (i + 1) * sizeofvalint) <= nOffsetEndPage;
++i )
{
if( sizeofval == sizeof(uint16) )