diff options
author | Bob Friesenhahn <bfriesen@simple.dallas.tx.us> | 2009-08-24 17:15:05 +0000 |
---|---|---|
committer | Bob Friesenhahn <bfriesen@simple.dallas.tx.us> | 2009-08-24 17:15:05 +0000 |
commit | 614f95d8b13b88ace11360c6ca63192dd52444e6 (patch) | |
tree | 9692c567cc9320821d4fee774177a057fa87cac2 /tools/rgb2ycbcr.c | |
parent | ed66fcdf7bdc8bf8fade79f1026dcaa3b9ee007b (diff) | |
download | libtiff-git-614f95d8b13b88ace11360c6ca63192dd52444e6.tar.gz |
* tools/{rgb2ycbcr.c, tiff2rgba.c}: Applied fixes for "Bug 2079 -
CVE-2009-2347 libtiff: integer overflows in various inter-color
space conversion tools".
http://bugzilla.maptools.org/show_bug.cgi?id=2079
Diffstat (limited to 'tools/rgb2ycbcr.c')
-rw-r--r-- | tools/rgb2ycbcr.c | 32 |
1 files changed, 25 insertions, 7 deletions
diff --git a/tools/rgb2ycbcr.c b/tools/rgb2ycbcr.c index 98d6d7dc..70f8ba33 100644 --- a/tools/rgb2ycbcr.c +++ b/tools/rgb2ycbcr.c @@ -1,4 +1,4 @@ -/* $Id: rgb2ycbcr.c,v 1.11 2009-01-22 20:53:07 fwarmerdam Exp $ */ +/* $Id: rgb2ycbcr.c,v 1.12 2009-08-24 17:15:05 bfriesen Exp $ */ /* * Copyright (c) 1991-1997 Sam Leffler @@ -38,6 +38,7 @@ # include "libport.h" #endif +#include "tiffiop.h" #include "tiffio.h" #define streq(a,b) (strcmp(a,b) == 0) @@ -282,15 +283,32 @@ tiffcvt(TIFF* in, TIFF* out) float floatv; char *stringv; uint32 longv; - int result; + int result; + size_t pixel_count; TIFFGetField(in, TIFFTAG_IMAGEWIDTH, &width); TIFFGetField(in, TIFFTAG_IMAGELENGTH, &height); - raster = (uint32*)_TIFFmalloc(width * height * sizeof (uint32)); - if (raster == 0) { - TIFFError(TIFFFileName(in), "No space for raster buffer"); - return (0); - } + pixel_count = width * height; + + /* XXX: Check the integer overflow. */ + if (!width || !height || pixel_count / width != height) { + TIFFError(TIFFFileName(in), + "Malformed input file; " + "can't allocate buffer for raster of %lux%lu size", + (unsigned long)width, (unsigned long)height); + return 0; + } + + raster = (uint32*)_TIFFCheckMalloc(in, pixel_count, sizeof(uint32), + "raster buffer"); + if (raster == 0) { + TIFFError(TIFFFileName(in), + "Failed to allocate buffer (%lu elements of %lu each)", + (unsigned long)pixel_count, + (unsigned long)sizeof(uint32)); + return (0); + } + if (!TIFFReadRGBAImage(in, width, height, raster, 0)) { _TIFFfree(raster); return (0); |