tiff2pdf.c: Fix possible overflow in bounds check computation and eliminate signed/unsigned comparison.

2 files changed, 11 insertions, 3 deletions

diff --git a/ChangeLog b/ChangeLog
index eafbdb85..5a88d14e 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,5 +1,9 @@
 2017-10-29  Bob Friesenhahn  <bfriesen@simple.dallas.tx.us>
 
+	* tools/tiff2pdf.c (t2p_sample_realize_palette): Fix possible
+	arithmetic overflow in bounds checking code and eliminate
+	comparison between signed and unsigned type.
+
 	* tools/fax2tiff.c (_FAX_Client_Data): Pass FAX_Client_Data as the
 	client data.  This client data is not used at all at the moment,
 	but it makes the most sense.  Issue that the value of
diff --git a/tools/tiff2pdf.c b/tools/tiff2pdf.c
index caf64ee5..454befbd 100644
--- a/tools/tiff2pdf.c
+++ b/tools/tiff2pdf.c
@@ -1,4 +1,4 @@
-/* $Id: tiff2pdf.c,v 1.102 2017-07-15 11:13:46 erouault Exp $
+/* $Id: tiff2pdf.c,v 1.103 2017-10-29 18:50:41 bfriesen Exp $
  *
  * tiff2pdf - converts a TIFF image to a PDF document
  *
@@ -3660,11 +3660,15 @@ tsize_t t2p_sample_realize_palette(T2P* t2p, unsigned char* buffer){
 	uint32 sample_offset=0;
 	uint32 i=0;
 	uint32 j=0;
+        size_t data_size;
 	sample_count=t2p->tiff_width*t2p->tiff_length;
 	component_count=t2p->tiff_samplesperpixel;
-        if( sample_count * component_count > t2p->tiff_datasize )
+        data_size=TIFFSafeMultiply(size_t,sample_count,component_count);
+        if( (data_size == 0U) || (t2p->tiff_datasize < 0) ||
+            (data_size > (size_t) t2p->tiff_datasize) )
         {
-            TIFFError(TIFF2PDF_MODULE,  "Error: sample_count * component_count > t2p->tiff_datasize");
+            TIFFError(TIFF2PDF_MODULE,
+                      "Error: sample_count * component_count > t2p->tiff_datasize");
             t2p->t2p_error = T2P_ERR_ERROR;
             return 1;
         }