diff options
| author | Bob Friesenhahn <bfriesen@simple.dallas.tx.us> | 2009-08-24 17:15:05 +0000 |
|---|---|---|
| committer | Bob Friesenhahn <bfriesen@simple.dallas.tx.us> | 2009-08-24 17:15:05 +0000 |
| commit | 614f95d8b13b88ace11360c6ca63192dd52444e6 (patch) | |
| tree | 9692c567cc9320821d4fee774177a057fa87cac2 /tools/tiff2rgba.c | |
| parent | ed66fcdf7bdc8bf8fade79f1026dcaa3b9ee007b (diff) | |
| download | libtiff-git-614f95d8b13b88ace11360c6ca63192dd52444e6.tar.gz | |
* tools/{rgb2ycbcr.c, tiff2rgba.c}: Applied fixes for "Bug 2079 -
CVE-2009-2347 libtiff: integer overflows in various inter-color
space conversion tools".
http://bugzilla.maptools.org/show_bug.cgi?id=2079
Diffstat (limited to 'tools/tiff2rgba.c')
| -rw-r--r-- | tools/tiff2rgba.c | 25 |
1 files changed, 19 insertions, 6 deletions
diff --git a/tools/tiff2rgba.c b/tools/tiff2rgba.c index 074cf0f6..bc2f1790 100644 --- a/tools/tiff2rgba.c +++ b/tools/tiff2rgba.c @@ -1,4 +1,4 @@ -/* $Id: tiff2rgba.c,v 1.16 2009-01-22 20:53:07 fwarmerdam Exp $ */ +/* $Id: tiff2rgba.c,v 1.17 2009-08-24 17:15:05 bfriesen Exp $ */ /* * Copyright (c) 1991-1997 Sam Leffler @@ -38,6 +38,7 @@ # include "libport.h" #endif +#include "tiffiop.h" #include "tiffio.h" #define streq(a,b) (strcmp(a,b) == 0) @@ -354,16 +355,27 @@ cvt_whole_image( TIFF *in, TIFF *out ) uint32* raster; /* retrieve RGBA image */ uint32 width, height; /* image width & height */ uint32 row; + size_t pixel_count; TIFFGetField(in, TIFFTAG_IMAGEWIDTH, &width); TIFFGetField(in, TIFFTAG_IMAGELENGTH, &height); + pixel_count = width * height; + + /* XXX: Check the integer overflow. */ + if (!width || !height || pixel_count / width != height) { + TIFFError(TIFFFileName(in), + "Malformed input file; can't allocate buffer for raster of %lux%lu size", + (unsigned long)width, (unsigned long)height); + return 0; + } rowsperstrip = TIFFDefaultStripSize(out, rowsperstrip); TIFFSetField(out, TIFFTAG_ROWSPERSTRIP, rowsperstrip); - raster = (uint32*)_TIFFmalloc(width * height * sizeof (uint32)); + raster = (uint32*)_TIFFCheckMalloc(in, pixel_count, sizeof(uint32), "raster buffer"); if (raster == 0) { - TIFFError(TIFFFileName(in), "No space for raster buffer"); + TIFFError(TIFFFileName(in), "Failed to allocate buffer (%lu elements of %lu each)", + (unsigned long)pixel_count, (unsigned long)sizeof(uint32)); return (0); } @@ -387,16 +399,17 @@ cvt_whole_image( TIFF *in, TIFF *out ) */ if (no_alpha) { - int pixel_count = width * height; + size_t count = pixel_count; unsigned char *src, *dst; src = dst = (unsigned char *) raster; - while (pixel_count > 0) + while (count > 0) { *(dst++) = *(src++); *(dst++) = *(src++); *(dst++) = *(src++); - src++, pixel_count--; + src++; + count--; } } |