* tools/tiff2pdf.c: fix potential integer overflows on 32 bit builds

in t2p_read_tiff_size()
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2576

1 files changed, 9 insertions, 1 deletions

diff --git a/tools/tiff2pdf.c b/tools/tiff2pdf.c
index 63ffa961..6e3c6145 100644
--- a/tools/tiff2pdf.c
+++ b/tools/tiff2pdf.c
@@ -1,4 +1,4 @@
-/* $Id: tiff2pdf.c,v 1.94 2016-10-09 11:03:36 erouault Exp $
+/* $Id: tiff2pdf.c,v 1.95 2016-11-11 21:15:25 erouault Exp $
  *
  * tiff2pdf - converts a TIFF image to a PDF document
  *
@@ -1903,6 +1903,10 @@ void t2p_read_tiff_size(T2P* t2p, TIFF* input){
 #ifdef CCITT_SUPPORT
 		if(t2p->pdf_compression == T2P_COMPRESS_G4 ){
 			TIFFGetField(input, TIFFTAG_STRIPBYTECOUNTS, &sbc);
+            if (sbc[0] != (uint64)(tmsize_t)sbc[0]) {
+                TIFFError(TIFF2PDF_MODULE, "Integer overflow");
+                t2p->t2p_error = T2P_ERR_ERROR;
+            }
 			t2p->tiff_datasize=(tmsize_t)sbc[0];
 			return;
 		}
@@ -1910,6 +1914,10 @@ void t2p_read_tiff_size(T2P* t2p, TIFF* input){
 #ifdef ZIP_SUPPORT
 		if(t2p->pdf_compression == T2P_COMPRESS_ZIP){
 			TIFFGetField(input, TIFFTAG_STRIPBYTECOUNTS, &sbc);
+            if (sbc[0] != (uint64)(tmsize_t)sbc[0]) {
+                TIFFError(TIFF2PDF_MODULE, "Integer overflow");
+                t2p->t2p_error = T2P_ERR_ERROR;
+            }
 			t2p->tiff_datasize=(tmsize_t)sbc[0];
 			return;
 		}