tiff: Check for integer overflows in multiplication

The checks currently in use are not sufficient, because they depend on undefined behaviour: rowstride = width * 4; if (rowstride / 4 != width) { /* overflow */ If the multiplication has already overflowed, the compiler may decide to optimize the if out and thus we do not handle the erroneous case. Rearrange the checks to avoid the undefined behaviour. Note that gcc doesn't seem to be impacted, though a defined behaviour is obviously preferred. CVE-2017-2870 https://bugzilla.gnome.org/show_bug.cgi?id=780269
author: Ludovico de Nittis <aasonykk@gmail.com> 2017-03-19 16:11:13 +0100
committer: Bastien Nocera <hadess@hadess.net> 2017-07-13 18:57:16 +0200
commit: 31a6cff3dfc6944aad4612a9668b8ad39122e48b (patch)
tree: 33f5b605fb750799a6c4fb32acba6f11c867c374 /gdk-pixbuf
parent: eb0754b706e80d40c87b7de79a5031a5f2083a65 (diff)
download: gdk-pixbuf-31a6cff3dfc6944aad4612a9668b8ad39122e48b.tar.gz
1 files changed, 8 insertions, 6 deletions
diff --git a/gdk-pixbuf/io-tiff.c b/gdk-pixbuf/io-tiff.c
index fb5d55095..7d055cfa8 100644
--- a/gdk-pixbuf/io-tiff.c
+++ b/gdk-pixbuf/io-tiff.c
@@ -124,18 +124,18 @@ tiff_image_parse (TIFF *tiff, TiffContext *context, GError **error)
                                      _("Width or height of TIFF image is zero"));
                 return NULL;                
         }
-        
-        rowstride = width * 4;
-        if (rowstride / 4 != width) { /* overflow */
+
+        if (width > G_MAXINT / 4) { /* overflow */
                 g_set_error_literal (error,
                                      GDK_PIXBUF_ERROR,
                                      GDK_PIXBUF_ERROR_CORRUPT_IMAGE,
                                      _("Dimensions of TIFF image too large"));
                 return NULL;                
         }
-        
-        bytes = height * rowstride;
-        if (bytes / rowstride != height) { /* overflow */
+
+        rowstride = width * 4;
+
+        if (height > G_MAXINT / rowstride) { /* overflow */
                 g_set_error_literal (error,
                                      GDK_PIXBUF_ERROR,
                                      GDK_PIXBUF_ERROR_CORRUPT_IMAGE,
@@ -143,6 +143,8 @@ tiff_image_parse (TIFF *tiff, TiffContext *context, GError **error)
                 return NULL;                
         }
 
+        bytes = height * rowstride;
+
 	if (context && context->size_func) {
                 gint w = width;
                 gint h = height;
author	Ludovico de Nittis <aasonykk@gmail.com>	2017-03-19 16:11:13 +0100
committer	Bastien Nocera <hadess@hadess.net>	2017-07-13 18:57:16 +0200
commit	31a6cff3dfc6944aad4612a9668b8ad39122e48b (patch)
tree	33f5b605fb750799a6c4fb32acba6f11c867c374 /gdk-pixbuf
parent	eb0754b706e80d40c87b7de79a5031a5f2083a65 (diff)
download	gdk-pixbuf-31a6cff3dfc6944aad4612a9668b8ad39122e48b.tar.gz