Merge branch 'fix_integer_overflow' into 'master'

Fix integer overflow in _TIFFCheckMalloc() and other implementation-defined behaviour (CVE-2019-14973) See merge request libtiff/libtiff!90
author: Even Rouault <even.rouault@spatialys.com> 2019-08-14 09:47:58 +0000
committer: Even Rouault <even.rouault@spatialys.com> 2019-08-14 09:47:58 +0000
commit: 2218055ca67d84be596a13080e8f50f22116555c (patch)
tree: 621e53c537056bd8c3a09367a93a8bb48404d2a2 /libtiff/tif_luv.c
parent: 12768a24b19b9fe6746f9545c9d77bff1e306db4 (diff)
parent: 1b5e3b6a23827c33acf19ad50ce5ce78f12b3773 (diff)
download: libtiff-git-2218055ca67d84be596a13080e8f50f22116555c.tar.gz
1 files changed, 1 insertions, 7 deletions
diff --git a/libtiff/tif_luv.c b/libtiff/tif_luv.c
index 6a63eadc..6fe48588 100644
--- a/libtiff/tif_luv.c
+++ b/libtiff/tif_luv.c
@@ -1269,16 +1269,10 @@ LogL16GuessDataFmt(TIFFDirectory *td)
 	return (SGILOGDATAFMT_UNKNOWN);
 }
 
-
-#define TIFF_SIZE_T_MAX ((size_t) ~ ((size_t)0))
-#define TIFF_TMSIZE_T_MAX (tmsize_t)(TIFF_SIZE_T_MAX >> 1)
-
 static tmsize_t
 multiply_ms(tmsize_t m1, tmsize_t m2)
 {
-        if( m1 == 0 || m2 > TIFF_TMSIZE_T_MAX / m1 )
-            return 0;
-        return m1 * m2;
+        return _TIFFMultiplySSize(NULL, m1, m2, NULL);
 }
 
 static int
author	Even Rouault <even.rouault@spatialys.com>	2019-08-14 09:47:58 +0000
committer	Even Rouault <even.rouault@spatialys.com>	2019-08-14 09:47:58 +0000
commit	2218055ca67d84be596a13080e8f50f22116555c (patch)
tree	621e53c537056bd8c3a09367a93a8bb48404d2a2 /libtiff/tif_luv.c
parent	12768a24b19b9fe6746f9545c9d77bff1e306db4 (diff)
parent	1b5e3b6a23827c33acf19ad50ce5ce78f12b3773 (diff)
download	libtiff-git-2218055ca67d84be596a13080e8f50f22116555c.tar.gz