diff options
author | Even Rouault <even.rouault@spatialys.com> | 2019-08-14 09:47:58 +0000 |
---|---|---|
committer | Even Rouault <even.rouault@spatialys.com> | 2019-08-14 09:47:58 +0000 |
commit | 2218055ca67d84be596a13080e8f50f22116555c (patch) | |
tree | 621e53c537056bd8c3a09367a93a8bb48404d2a2 /libtiff/tif_tile.c | |
parent | 12768a24b19b9fe6746f9545c9d77bff1e306db4 (diff) | |
parent | 1b5e3b6a23827c33acf19ad50ce5ce78f12b3773 (diff) | |
download | libtiff-git-2218055ca67d84be596a13080e8f50f22116555c.tar.gz |
Merge branch 'fix_integer_overflow' into 'master'
Fix integer overflow in _TIFFCheckMalloc() and other implementation-defined behaviour (CVE-2019-14973)
See merge request libtiff/libtiff!90
Diffstat (limited to 'libtiff/tif_tile.c')
-rw-r--r-- | libtiff/tif_tile.c | 27 |
1 files changed, 3 insertions, 24 deletions
diff --git a/libtiff/tif_tile.c b/libtiff/tif_tile.c index 58fe9354..661cc771 100644 --- a/libtiff/tif_tile.c +++ b/libtiff/tif_tile.c @@ -181,15 +181,8 @@ TIFFTileRowSize(TIFF* tif) { static const char module[] = "TIFFTileRowSize"; uint64 m; - tmsize_t n; m=TIFFTileRowSize64(tif); - n=(tmsize_t)m; - if ((uint64)n!=m) - { - TIFFErrorExt(tif->tif_clientdata,module,"Integer overflow"); - n=0; - } - return(n); + return _TIFFCastUInt64ToSSize(tif, m, module); } /* @@ -248,15 +241,8 @@ TIFFVTileSize(TIFF* tif, uint32 nrows) { static const char module[] = "TIFFVTileSize"; uint64 m; - tmsize_t n; m=TIFFVTileSize64(tif,nrows); - n=(tmsize_t)m; - if ((uint64)n!=m) - { - TIFFErrorExt(tif->tif_clientdata,module,"Integer overflow"); - n=0; - } - return(n); + return _TIFFCastUInt64ToSSize(tif, m, module); } /* @@ -272,15 +258,8 @@ TIFFTileSize(TIFF* tif) { static const char module[] = "TIFFTileSize"; uint64 m; - tmsize_t n; m=TIFFTileSize64(tif); - n=(tmsize_t)m; - if ((uint64)n!=m) - { - TIFFErrorExt(tif->tif_clientdata,module,"Integer overflow"); - n=0; - } - return(n); + return _TIFFCastUInt64ToSSize(tif, m, module); } /* |