blob: 35f59b9bffd984be752052c047b95b89384627be (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
|
https://codereview.chromium.org/2405693002
https://crbug.com/654169
https://pdfium.googlesource.com/pdfium/+/master/libtiff/
Author: stackexploit <stackexploit@gmail.com>
Date: Mon Oct 10 10:58:25 2016 -0700
libtiff: Prevent a buffer overflow in function ChopUpSingleUncompressedStrip.
The patch (https://codereview.chromium.org/2284063002) for Issue 618267
was insufficient. The integer overflow still could be triggered and could
lead to heap buffer overflow.
This CL strengthens integer overflow check in function _TIFFCheckRealloc.
--- a/libtiff/tif_aux.c
+++ b/libtiff/tif_aux.c
@@ -69,7 +69,7 @@ _TIFFCheckRealloc(TIFF* tif, void* buffer,
/*
* XXX: Check for integer overflow.
*/
- if (nmemb && elem_size && !_TIFFIfMultiplicationOverflow(nmemb, elem_size))
+ if (nmemb > 0 && elem_size > 0 && !_TIFFIfMultiplicationOverflow(nmemb, elem_size))
cp = _TIFFrealloc(buffer, bytes);
if (cp == NULL) {
|
