diff options
author | Tom Lane <tgl@sss.pgh.pa.us> | 2012-12-10 17:27:13 +0000 |
---|---|---|
committer | Tom Lane <tgl@sss.pgh.pa.us> | 2012-12-10 17:27:13 +0000 |
commit | bff7f4571699b492dac5c36ac7aab61db905491b (patch) | |
tree | 95151f2e8a664928e1fcb420ebaa3c9d5e3b9035 /libtiff/tif_pixarlog.c | |
parent | 74295b7487fb6ee7348f7f2b3fd49cd095444ba1 (diff) | |
download | libtiff-git-bff7f4571699b492dac5c36ac7aab61db905491b.tar.gz |
Detect integer overflow in addition when computing buffer size.
Diffstat (limited to 'libtiff/tif_pixarlog.c')
-rw-r--r-- | libtiff/tif_pixarlog.c | 20 |
1 files changed, 18 insertions, 2 deletions
diff --git a/libtiff/tif_pixarlog.c b/libtiff/tif_pixarlog.c index e5831170..044c4115 100644 --- a/libtiff/tif_pixarlog.c +++ b/libtiff/tif_pixarlog.c @@ -1,4 +1,4 @@ -/* $Id: tif_pixarlog.c,v 1.38 2012-06-21 01:01:53 fwarmerdam Exp $ */ +/* $Id: tif_pixarlog.c,v 1.39 2012-12-10 17:27:13 tgl Exp $ */ /* * Copyright (c) 1996-1997 Sam Leffler @@ -644,6 +644,20 @@ multiply_ms(tmsize_t m1, tmsize_t m2) return bytes; } +static tmsize_t +add_ms(tmsize_t m1, tmsize_t m2) +{ + tmsize_t bytes = m1 + m2; + + /* if either input is zero, assume overflow already occurred */ + if (m1 == 0 || m2 == 0) + bytes = 0; + else if (bytes <= m1 || bytes <= m2) + bytes = 0; + + return bytes; +} + static int PixarLogFixupTags(TIFF* tif) { @@ -671,9 +685,11 @@ PixarLogSetupDecode(TIFF* tif) td->td_samplesperpixel : 1); tbuf_size = multiply_ms(multiply_ms(multiply_ms(sp->stride, td->td_imagewidth), td->td_rowsperstrip), sizeof(uint16)); + /* add one more stride in case input ends mid-stride */ + tbuf_size = add_ms(tbuf_size, sizeof(uint16) * sp->stride); if (tbuf_size == 0) return (0); /* TODO: this is an error return without error report through TIFFErrorExt */ - sp->tbuf = (uint16 *) _TIFFmalloc(tbuf_size+sizeof(uint16)*sp->stride); + sp->tbuf = (uint16 *) _TIFFmalloc(tbuf_size); if (sp->tbuf == NULL) return (0); if (sp->user_datafmt == PIXARLOGDATAFMT_UNKNOWN) |