Used signed overflow checks rather than unsigned integer overflow checks since C language does not define signed overflow behavior

author: bfriesen <bfriesen> 2012-07-06 23:24:46 +0000
committer: bfriesen <bfriesen> 2012-07-06 23:24:46 +0000
commit: 7b10193e028a6eea27446fe012bc4c06577657b1 (patch)
tree: 1a79f446d22361f3b0ff0ce15db51ec26d48fb06
parent: e0b9604fce1624a5dbfecb151ad4a783ace37a28 (diff)
download: libtiff-7b10193e028a6eea27446fe012bc4c06577657b1.tar.gz
1 files changed, 9 insertions, 4 deletions
diff --git a/libtiff/tif_dirread.c b/libtiff/tif_dirread.c
index c242d8fa..2e1e379e 100644
--- a/libtiff/tif_dirread.c
+++ b/libtiff/tif_dirread.c
@@ -1,4 +1,4 @@
-/* $Id: tif_dirread.c,v 1.174 2012-02-01 02:24:47 fwarmerdam Exp $ */
+/* $Id: tif_dirread.c,v 1.175 2012-07-06 23:24:46 bfriesen Exp $ */
 
 /*
  * Copyright (c) 1988-1997 Sam Leffler
@@ -3313,10 +3313,15 @@ TIFFReadDirEntryData(TIFF* tif, uint64 offset, tmsize_t size, void* dest)
 		if (!ReadOK(tif,dest,size))
 			return(TIFFReadDirEntryErrIo);
 	} else {
-		tmsize_t ma,mb;
-		ma=(tmsize_t)offset;
+		size_t ma,mb;
+		ma=(size_t)offset;
 		mb=ma+size;
-		if (((uint64)ma!=offset)||(mb<ma)||(mb<size)||(mb>tif->tif_size))
+		if (((uint64)ma!=offset)
+		    || (mb < ma)
+		    || (mb - ma != (size_t) size)
+		    || (mb < (size_t)size)
+		    || (mb > (size_t)tif->tif_size)
+		    )
 			return(TIFFReadDirEntryErrIo);
 		_TIFFmemcpy(dest,tif->tif_base+ma,size);
 	}
author	bfriesen <bfriesen>	2012-07-06 23:24:46 +0000
committer	bfriesen <bfriesen>	2012-07-06 23:24:46 +0000
commit	7b10193e028a6eea27446fe012bc4c06577657b1 (patch)
tree	1a79f446d22361f3b0ff0ce15db51ec26d48fb06
parent	e0b9604fce1624a5dbfecb151ad4a783ace37a28 (diff)
download	libtiff-7b10193e028a6eea27446fe012bc4c06577657b1.tar.gz