tiff: Avoid overflowing buffer size computation

Use g_uint_checked_mul() to avoid overflowing the guint used for buffer size calculation. https://bugzilla.gnome.org/show_bug.cgi?id=779020
author: Bastien Nocera <hadess@hadess.net> 2017-12-05 10:26:49 +0100
committer: Bastien Nocera <hadess@hadess.net> 2017-12-05 11:38:54 +0100
commit: 1e513abdb55529f888233d3c96b27352d83aad5f (patch)
tree: af31e1c4add7cf5b9c8e7e3f613e100a76d255ea
parent: 8e60f4b0278c12c28b4a9145eb8835fb9c9ec04c (diff)
download: gdk-pixbuf-1e513abdb55529f888233d3c96b27352d83aad5f.tar.gz
1 files changed, 9 insertions, 2 deletions
diff --git a/gdk-pixbuf/io-tiff.c b/gdk-pixbuf/io-tiff.c
index 7ca0a565a..49fe60eee 100644
--- a/gdk-pixbuf/io-tiff.c
+++ b/gdk-pixbuf/io-tiff.c
@@ -529,8 +529,15 @@ make_available_at_least (TiffContext *context, guint needed)
         need_alloc = context->used + needed;
         if (need_alloc > context->allocated) {
                 guint new_size = 1;
-                while (new_size < need_alloc)
-                        new_size *= 2;
+                while (new_size < need_alloc) {
+                        if (!g_uint_checked_mul (&new_size, new_size, 2)) {
+                                new_size = 0;
+                                break;
+                        }
+                }
+
+                if (new_size == 0)
+                        return FALSE;
 
                 new_buffer = g_try_realloc (context->buffer, new_size);
                 if (new_buffer) {
author	Bastien Nocera <hadess@hadess.net>	2017-12-05 10:26:49 +0100
committer	Bastien Nocera <hadess@hadess.net>	2017-12-05 11:38:54 +0100
commit	1e513abdb55529f888233d3c96b27352d83aad5f (patch)
tree	af31e1c4add7cf5b9c8e7e3f613e100a76d255ea
parent	8e60f4b0278c12c28b4a9145eb8835fb9c9ec04c (diff)
download	gdk-pixbuf-1e513abdb55529f888233d3c96b27352d83aad5f.tar.gz