Bug 706265 (Continued): Fix previous GPDL tiff decoder fix.

The previous fix to avoid integer overflow was monumentally
broken.

Less monumentally broken code here.

1 files changed, 8 insertions, 6 deletions

diff --git a/gpdl/tifftop.c b/gpdl/tifftop.c
index 7aa6ce731..1ad40aaa5 100644
--- a/gpdl/tifftop.c
+++ b/gpdl/tifftop.c
@@ -510,16 +510,17 @@ blend_alpha(tiff_interp_instance_t *tiff, size_t n)
 static uint32_t
 safe_mla(const gs_memory_t *mem, int *code, uint32_t a, uint32_t b, uint32_t c, uint32_t d)
 {
-    if (UINT_MAX/b > a)
+    /* UINT_MAX < b*a means overflow, but we can't calculate that... */
+    if (UINT_MAX/b < a)
         goto fail;
     a *= b;
-    if (UINT_MAX/c > a)
+    if (UINT_MAX/c < a)
         goto fail;
     a *= c;
     if (UINT_MAX-c < d)
         goto fail;
 
-    return c+d;
+    return a+d;
 
 fail:
     emprintf(mem, "Numeric overflow!\n");
@@ -531,16 +532,17 @@ fail:
 static size_t
 size_mla(const gs_memory_t *mem, int *code, size_t a, size_t b, size_t c, size_t d)
 {
-    if (SIZE_MAX/b > a)
+    /* SIZE_MAX < b*a means overflow, but we can't calculate that... */
+    if (SIZE_MAX/b < a)
         goto fail;
     a *= b;
-    if (SIZE_MAX/c > a)
+    if (SIZE_MAX/c < a)
         goto fail;
     a *= c;
     if (SIZE_MAX-c < d)
         goto fail;
 
-    return c+d;
+    return a+d;
 
 fail:
     emprintf(mem, "Numeric overflow!\n");