diff options
author | Even Rouault <even.rouault@spatialys.com> | 2019-08-14 09:47:58 +0000 |
---|---|---|
committer | Even Rouault <even.rouault@spatialys.com> | 2019-08-14 09:47:58 +0000 |
commit | 2218055ca67d84be596a13080e8f50f22116555c (patch) | |
tree | 621e53c537056bd8c3a09367a93a8bb48404d2a2 /libtiff/tif_getimage.c | |
parent | 12768a24b19b9fe6746f9545c9d77bff1e306db4 (diff) | |
parent | 1b5e3b6a23827c33acf19ad50ce5ce78f12b3773 (diff) | |
download | libtiff-git-2218055ca67d84be596a13080e8f50f22116555c.tar.gz |
Merge branch 'fix_integer_overflow' into 'master'
Fix integer overflow in _TIFFCheckMalloc() and other implementation-defined behaviour (CVE-2019-14973)
See merge request libtiff/libtiff!90
Diffstat (limited to 'libtiff/tif_getimage.c')
-rw-r--r-- | libtiff/tif_getimage.c | 6 |
1 files changed, 2 insertions, 4 deletions
diff --git a/libtiff/tif_getimage.c b/libtiff/tif_getimage.c index 599bf127..c88b5fa6 100644 --- a/libtiff/tif_getimage.c +++ b/libtiff/tif_getimage.c @@ -755,9 +755,8 @@ gtTileSeparate(TIFFRGBAImage* img, uint32* raster, uint32 w, uint32 h) uint32 leftmost_tw; tilesize = TIFFTileSize(tif); - bufsize = TIFFSafeMultiply(tmsize_t,alpha?4:3,tilesize); + bufsize = _TIFFMultiplySSize(tif, alpha?4:3,tilesize, "gtTileSeparate"); if (bufsize == 0) { - TIFFErrorExt(tif->tif_clientdata, TIFFFileName(tif), "Integer overflow in %s", "gtTileSeparate"); return (0); } @@ -1019,9 +1018,8 @@ gtStripSeparate(TIFFRGBAImage* img, uint32* raster, uint32 w, uint32 h) uint16 colorchannels; stripsize = TIFFStripSize(tif); - bufsize = TIFFSafeMultiply(tmsize_t,alpha?4:3,stripsize); + bufsize = _TIFFMultiplySSize(tif,alpha?4:3,stripsize, "gtStripSeparate"); if (bufsize == 0) { - TIFFErrorExt(tif->tif_clientdata, TIFFFileName(tif), "Integer overflow in %s", "gtStripSeparate"); return (0); } |