diff options
author | Even Rouault <even.rouault@spatialys.com> | 2019-08-14 09:47:58 +0000 |
---|---|---|
committer | Even Rouault <even.rouault@spatialys.com> | 2019-08-14 09:47:58 +0000 |
commit | 2218055ca67d84be596a13080e8f50f22116555c (patch) | |
tree | 621e53c537056bd8c3a09367a93a8bb48404d2a2 /libtiff/tif_aux.c | |
parent | 12768a24b19b9fe6746f9545c9d77bff1e306db4 (diff) | |
parent | 1b5e3b6a23827c33acf19ad50ce5ce78f12b3773 (diff) | |
download | libtiff-git-2218055ca67d84be596a13080e8f50f22116555c.tar.gz |
Merge branch 'fix_integer_overflow' into 'master'
Fix integer overflow in _TIFFCheckMalloc() and other implementation-defined behaviour (CVE-2019-14973)
See merge request libtiff/libtiff!90
Diffstat (limited to 'libtiff/tif_aux.c')
-rw-r--r-- | libtiff/tif_aux.c | 49 |
1 files changed, 44 insertions, 5 deletions
diff --git a/libtiff/tif_aux.c b/libtiff/tif_aux.c index 90d30214..3e9bda43 100644 --- a/libtiff/tif_aux.c +++ b/libtiff/tif_aux.c @@ -58,18 +58,57 @@ _TIFFMultiply64(TIFF* tif, uint64 first, uint64 second, const char* where) return bytes; } +tmsize_t +_TIFFMultiplySSize(TIFF* tif, tmsize_t first, tmsize_t second, const char* where) +{ + if( first <= 0 || second <= 0 ) + { + if( tif != NULL && where != NULL ) + { + TIFFErrorExt(tif->tif_clientdata, where, + "Invalid argument to _TIFFMultiplySSize() in %s", where); + } + return 0; + } + + if( first > TIFF_TMSIZE_T_MAX / second ) + { + if( tif != NULL && where != NULL ) + { + TIFFErrorExt(tif->tif_clientdata, where, + "Integer overflow in %s", where); + } + return 0; + } + return first * second; +} + +tmsize_t _TIFFCastUInt64ToSSize(TIFF* tif, uint64 val, const char* module) +{ + if( val > (uint64)TIFF_TMSIZE_T_MAX ) + { + if( tif != NULL && module != NULL ) + { + TIFFErrorExt(tif->tif_clientdata,module,"Integer overflow"); + } + return 0; + } + return (tmsize_t)val; +} + void* _TIFFCheckRealloc(TIFF* tif, void* buffer, tmsize_t nmemb, tmsize_t elem_size, const char* what) { void* cp = NULL; - tmsize_t bytes = nmemb * elem_size; - + tmsize_t count = _TIFFMultiplySSize(tif, nmemb, elem_size, NULL); /* - * XXX: Check for integer overflow. + * Check for integer overflow. */ - if (nmemb && elem_size && bytes / elem_size == nmemb) - cp = _TIFFrealloc(buffer, bytes); + if (count != 0) + { + cp = _TIFFrealloc(buffer, count); + } if (cp == NULL) { TIFFErrorExt(tif->tif_clientdata, tif->tif_name, |