diff options
author | erouault <erouault> | 2016-11-11 21:15:25 +0000 |
---|---|---|
committer | erouault <erouault> | 2016-11-11 21:15:25 +0000 |
commit | 02de927c729ce7b0aba89a198383790d4f8956ce (patch) | |
tree | ab2375dfc4a71d88827fa926e805a605424413f6 /tools | |
parent | 3a06513975b96ef1f9b0c0896bfd929993947fc8 (diff) | |
download | libtiff-02de927c729ce7b0aba89a198383790d4f8956ce.tar.gz |
* tools/tiff2pdf.c: fix potential integer overflows on 32 bit builds
in t2p_read_tiff_size()
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2576
Diffstat (limited to 'tools')
-rw-r--r-- | tools/tiff2pdf.c | 10 |
1 files changed, 9 insertions, 1 deletions
diff --git a/tools/tiff2pdf.c b/tools/tiff2pdf.c index 63ffa961..6e3c6145 100644 --- a/tools/tiff2pdf.c +++ b/tools/tiff2pdf.c @@ -1,4 +1,4 @@ -/* $Id: tiff2pdf.c,v 1.94 2016-10-09 11:03:36 erouault Exp $ +/* $Id: tiff2pdf.c,v 1.95 2016-11-11 21:15:25 erouault Exp $ * * tiff2pdf - converts a TIFF image to a PDF document * @@ -1903,6 +1903,10 @@ void t2p_read_tiff_size(T2P* t2p, TIFF* input){ #ifdef CCITT_SUPPORT if(t2p->pdf_compression == T2P_COMPRESS_G4 ){ TIFFGetField(input, TIFFTAG_STRIPBYTECOUNTS, &sbc); + if (sbc[0] != (uint64)(tmsize_t)sbc[0]) { + TIFFError(TIFF2PDF_MODULE, "Integer overflow"); + t2p->t2p_error = T2P_ERR_ERROR; + } t2p->tiff_datasize=(tmsize_t)sbc[0]; return; } @@ -1910,6 +1914,10 @@ void t2p_read_tiff_size(T2P* t2p, TIFF* input){ #ifdef ZIP_SUPPORT if(t2p->pdf_compression == T2P_COMPRESS_ZIP){ TIFFGetField(input, TIFFTAG_STRIPBYTECOUNTS, &sbc); + if (sbc[0] != (uint64)(tmsize_t)sbc[0]) { + TIFFError(TIFF2PDF_MODULE, "Integer overflow"); + t2p->t2p_error = T2P_ERR_ERROR; + } t2p->tiff_datasize=(tmsize_t)sbc[0]; return; } |