diff options
author | Even Rouault <even.rouault@spatialys.com> | 2017-05-13 18:29:38 +0000 |
---|---|---|
committer | Even Rouault <even.rouault@spatialys.com> | 2017-05-13 18:29:38 +0000 |
commit | 99e8fb373ea71bc7a9fab3fc92674883913884b9 (patch) | |
tree | 33c5727e75b54824ee36ac393be763e59f1a9225 /libtiff/tif_pixarlog.c | |
parent | 0a6763b5a093d19a5f059b92e31733947c2f5468 (diff) | |
download | libtiff-git-99e8fb373ea71bc7a9fab3fc92674883913884b9.tar.gz |
* libtiff/tif_pixarlog.c, tif_luv.c: avoid potential int32
overflows in multiply_ms() and add_ms().
Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=1558
Credit to OSS-Fuzz
Diffstat (limited to 'libtiff/tif_pixarlog.c')
-rw-r--r-- | libtiff/tif_pixarlog.c | 24 |
1 files changed, 11 insertions, 13 deletions
diff --git a/libtiff/tif_pixarlog.c b/libtiff/tif_pixarlog.c index ae84fff5..4b62f4b6 100644 --- a/libtiff/tif_pixarlog.c +++ b/libtiff/tif_pixarlog.c @@ -1,4 +1,4 @@ -/* $Id: tif_pixarlog.c,v 1.51 2017-05-10 15:21:16 erouault Exp $ */ +/* $Id: tif_pixarlog.c,v 1.52 2017-05-13 18:29:38 erouault Exp $ */ /* * Copyright (c) 1996-1997 Sam Leffler @@ -636,29 +636,27 @@ PixarLogGuessDataFmt(TIFFDirectory *td) return guess; } +#define TIFF_SIZE_T_MAX ((size_t) ~ ((size_t)0)) +#define TIFF_TMSIZE_T_MAX (tmsize_t)(TIFF_SIZE_T_MAX >> 1) + static tmsize_t multiply_ms(tmsize_t m1, tmsize_t m2) { - tmsize_t bytes = m1 * m2; - - if (m1 && bytes / m1 != m2) - bytes = 0; - - return bytes; + if( m1 == 0 || m2 > TIFF_TMSIZE_T_MAX / m1 ) + return 0; + return m1 * m2; } static tmsize_t add_ms(tmsize_t m1, tmsize_t m2) { - tmsize_t bytes = m1 + m2; - /* if either input is zero, assume overflow already occurred */ if (m1 == 0 || m2 == 0) - bytes = 0; - else if (bytes <= m1 || bytes <= m2) - bytes = 0; + return 0; + else if (m1 > TIFF_TMSIZE_T_MAX - m2) + return 0; - return bytes; + return m1 + m2; } static int |