From 9626bb6db9ca12d6bb608e62d51bad2825604ca4 Mon Sep 17 00:00:00 2001 From: Bob Friesenhahn Date: Sat, 30 May 2015 21:13:39 +0000 Subject: * contrib/addtiffo/tif_overview.c (TIFF_DownSample): Check buffer size calculation for overflow. --- contrib/addtiffo/tif_overview.c | 21 +++++++++++++++++++-- 1 file changed, 19 insertions(+), 2 deletions(-) (limited to 'contrib') diff --git a/contrib/addtiffo/tif_overview.c b/contrib/addtiffo/tif_overview.c index 156c0812..c61ffbb8 100644 --- a/contrib/addtiffo/tif_overview.c +++ b/contrib/addtiffo/tif_overview.c @@ -272,10 +272,27 @@ void TIFF_DownSample( unsigned char *pabySrcTile, int nPixelGroupBytes = (nBitsPerPixel+nPixelSkewBits)/8; unsigned char *pabySrc, *pabyDst; double *padfSamples; + size_t tpadfSamples_size, padfSamples_size; assert( nBitsPerPixel >= 8 ); - padfSamples = (double *) malloc(sizeof(double) * nOMult * nOMult); + /* sizeof(double) * nOMult * nOMult */ + tpadfSamples_size=nOMult*nOMult; + if ((nOMult != 0) && (tpadfSamples_size/nOMult == (size_t) nOMult)) { + padfSamples_size=tpadfSamples_size; + tpadfSamples_size=padfSamples_size*sizeof(double); + if ((tpadfSamples_size / padfSamples_size) == sizeof(double)) + padfSamples_size=tpadfSamples_size; + else + padfSamples_size=0; + } else { + padfSamples_size=0; + } + if (padfSamples_size == 0) { + /* TODO: This is an error condition */ + return; + } + padfSamples = (double *) malloc(padfSamples_size); /* ==================================================================== */ /* Loop over scanline chunks to process, establishing where the */ @@ -893,7 +910,7 @@ void TIFFBuildOverviews( TIFF *hTIFF, int nOverviews, int * panOvList, /* * Local Variables: * mode: c - * c-basic-offset: 8 + * c-basic-offset: 4 * fill-column: 78 * End: */ -- cgit v1.2.1