diff options
author | Even Rouault <even.rouault@spatialys.com> | 2019-08-10 18:25:03 +0200 |
---|---|---|
committer | Even Rouault <even.rouault@spatialys.com> | 2019-08-13 10:40:08 +0200 |
commit | 1b5e3b6a23827c33acf19ad50ce5ce78f12b3773 (patch) | |
tree | 7ea43cec019a4ee323a8f80cb8a8aca336aa9c3d /contrib | |
parent | c9cb49177b1193668d63f788b2b5e30b13b28a2e (diff) | |
download | libtiff-git-1b5e3b6a23827c33acf19ad50ce5ce78f12b3773.tar.gz |
Fix integer overflow in _TIFFCheckMalloc() and other implementation-defined behaviour (CVE-2019-14973)
_TIFFCheckMalloc()/_TIFFCheckRealloc() used a unsafe way to detect overflow
in the multiplication of nmemb and elem_size (which are of type tmsize_t, thus
signed), which was especially easily triggered on 32-bit builds (with recent
enough compilers that assume that signed multiplication cannot overflow, since
this is undefined behaviour by the C standard). The original issue which lead to
this fix was trigged from tif_fax3.c
There were also unsafe (implementation defied), and broken in practice on 64bit
builds, ways of checking that a uint64 fits of a (signed) tmsize_t by doing
(uint64)(tmsize_t)uint64_var != uint64_var comparisons. Those have no known
at that time exploits, but are better to fix in a more bullet-proof way.
Or similarly use of (int64)uint64_var <= 0.
Diffstat (limited to 'contrib')
0 files changed, 0 insertions, 0 deletions