diff options
author | Robin Watts <Robin.Watts@artifex.com> | 2023-01-27 17:50:01 +0000 |
---|---|---|
committer | Robin Watts <Robin.Watts@artifex.com> | 2023-02-06 11:35:12 +0000 |
commit | a4eb716f1c0564e08c71a787b209fca033289df5 (patch) | |
tree | eacec562fe481919137412cbfdd4ed59db14790f /gpdl | |
parent | 8e8dbd978281f88a12000f1abfee85639e6d45ea (diff) | |
download | ghostpdl-a4eb716f1c0564e08c71a787b209fca033289df5.tar.gz |
Bug 706265 (Continued): Fix previous GPDL tiff decoder fix.
The previous fix to avoid integer overflow was monumentally
broken.
Less monumentally broken code here.
Diffstat (limited to 'gpdl')
-rw-r--r-- | gpdl/tifftop.c | 14 |
1 files changed, 8 insertions, 6 deletions
diff --git a/gpdl/tifftop.c b/gpdl/tifftop.c index 7aa6ce731..1ad40aaa5 100644 --- a/gpdl/tifftop.c +++ b/gpdl/tifftop.c @@ -510,16 +510,17 @@ blend_alpha(tiff_interp_instance_t *tiff, size_t n) static uint32_t safe_mla(const gs_memory_t *mem, int *code, uint32_t a, uint32_t b, uint32_t c, uint32_t d) { - if (UINT_MAX/b > a) + /* UINT_MAX < b*a means overflow, but we can't calculate that... */ + if (UINT_MAX/b < a) goto fail; a *= b; - if (UINT_MAX/c > a) + if (UINT_MAX/c < a) goto fail; a *= c; if (UINT_MAX-c < d) goto fail; - return c+d; + return a+d; fail: emprintf(mem, "Numeric overflow!\n"); @@ -531,16 +532,17 @@ fail: static size_t size_mla(const gs_memory_t *mem, int *code, size_t a, size_t b, size_t c, size_t d) { - if (SIZE_MAX/b > a) + /* SIZE_MAX < b*a means overflow, but we can't calculate that... */ + if (SIZE_MAX/b < a) goto fail; a *= b; - if (SIZE_MAX/c > a) + if (SIZE_MAX/c < a) goto fail; a *= c; if (SIZE_MAX-c < d) goto fail; - return c+d; + return a+d; fail: emprintf(mem, "Numeric overflow!\n"); |