blob: a45ee342f779967a171a41265d1f2e71897329aa (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
|
https://codereview.chromium.org/2284063002
https://crbug.com/618267
https://pdfium.googlesource.com/pdfium/+/master/libtiff/
Author: tracy_jiang <tracy_jiang@foxitsoftware.com>
Date: Mon Aug 29 13:42:56 2016 -0700
Fix for #618267. Adding a method to determine if multiplication has
overflow.
--- a/libtiff/tif_aux.c
+++ b/libtiff/tif_aux.c
@@ -69,7 +69,7 @@ _TIFFCheckRealloc(TIFF* tif, void* buffer,
/*
* XXX: Check for integer overflow.
*/
- if (nmemb && elem_size && bytes / elem_size == nmemb)
+ if (nmemb && elem_size && !_TIFFIfMultiplicationOverflow(nmemb, elem_size))
cp = _TIFFrealloc(buffer, bytes);
if (cp == NULL) {
--- a/libtiff/tiffiop.h
+++ b/libtiff/tiffiop.h
@@ -315,6 +315,9 @@ typedef size_t TIFFIOSize_t;
#define _TIFF_off_t off_t
#endif
+#include <limits.h>
+#define _TIFFIfMultiplicationOverflow(op1, op2) ((op1) > SSIZE_MAX / (op2))
+
#if defined(__cplusplus)
extern "C" {
#endif
|
