From 8d505f865edce3c45967ffdc3902fa00c8fd5a90 Mon Sep 17 00:00:00 2001 From: bfriesen Date: Sun, 29 Oct 2017 18:50:41 +0000 Subject: tiff2pdf.c: Fix possible overflow in bounds check computation and eliminate signed/unsigned comparison. --- ChangeLog | 4 ++++ tools/tiff2pdf.c | 10 +++++++--- 2 files changed, 11 insertions(+), 3 deletions(-) diff --git a/ChangeLog b/ChangeLog index eafbdb85..5a88d14e 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,5 +1,9 @@ 2017-10-29 Bob Friesenhahn + * tools/tiff2pdf.c (t2p_sample_realize_palette): Fix possible + arithmetic overflow in bounds checking code and eliminate + comparison between signed and unsigned type. + * tools/fax2tiff.c (_FAX_Client_Data): Pass FAX_Client_Data as the client data. This client data is not used at all at the moment, but it makes the most sense. Issue that the value of diff --git a/tools/tiff2pdf.c b/tools/tiff2pdf.c index caf64ee5..454befbd 100644 --- a/tools/tiff2pdf.c +++ b/tools/tiff2pdf.c @@ -1,4 +1,4 @@ -/* $Id: tiff2pdf.c,v 1.102 2017-07-15 11:13:46 erouault Exp $ +/* $Id: tiff2pdf.c,v 1.103 2017-10-29 18:50:41 bfriesen Exp $ * * tiff2pdf - converts a TIFF image to a PDF document * @@ -3660,11 +3660,15 @@ tsize_t t2p_sample_realize_palette(T2P* t2p, unsigned char* buffer){ uint32 sample_offset=0; uint32 i=0; uint32 j=0; + size_t data_size; sample_count=t2p->tiff_width*t2p->tiff_length; component_count=t2p->tiff_samplesperpixel; - if( sample_count * component_count > t2p->tiff_datasize ) + data_size=TIFFSafeMultiply(size_t,sample_count,component_count); + if( (data_size == 0U) || (t2p->tiff_datasize < 0) || + (data_size > (size_t) t2p->tiff_datasize) ) { - TIFFError(TIFF2PDF_MODULE, "Error: sample_count * component_count > t2p->tiff_datasize"); + TIFFError(TIFF2PDF_MODULE, + "Error: sample_count * component_count > t2p->tiff_datasize"); t2p->t2p_error = T2P_ERR_ERROR; return 1; } -- cgit v1.2.1