Avoid integer overflows computing the buffer size for large directories. As

per bug http://bugzilla.maptools.org/show_bug.cgi?id=2218

2 files changed, 14 insertions, 3 deletions

diff --git a/ChangeLog b/ChangeLog
index d4c0fd63..43ceaf47 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,9 @@
+2010-07-07  Andrey Kiselev  <dron@ak4719.spb.edu>
+
+	* tools/tiffdump.c: Avoid integer overflows computing the buffer size
+	for large directories. As per bug
+	http://bugzilla.maptools.org/show_bug.cgi?id=2218
+
 2010-07-06  Andrey Kiselev  <dron@ak4719.spb.edu>
 
 	* tools/tiffset.c: Properly handle TIFFTAG_PAGENUMBER,
diff --git a/tools/tiffdump.c b/tools/tiffdump.c
index 8f9461ce..3be72420 100644
--- a/tools/tiffdump.c
+++ b/tools/tiffdump.c
@@ -1,4 +1,4 @@
-/* $Id: tiffdump.c,v 1.13.2.3 2010-07-02 11:03:25 dron Exp $ */
+/* $Id: tiffdump.c,v 1.13.2.4 2010-07-07 14:02:56 dron Exp $ */
 
 /*
  * Copyright (c) 1988-1997 Sam Leffler
@@ -52,6 +52,11 @@
 # define O_BINARY	0
 #endif
 
+/* Safe multiply which returns zero if there is an integer overflow */
+#ifndef TIFFSafeMultiply
+# define TIFFSafeMultiply(t,v,m) ((((t)m != (t)0) && (((t)((v*m)/m)) == (t)v)) ? (t)(v*m) : (t)0)
+#endif
+
 char*	appname;
 char*	curfile;
 int	swabflag;
@@ -314,7 +319,7 @@ ReadDirectory(int fd, unsigned ix, off_t off)
 			printf(">\n");
 			continue;
 		}
-		space = dp->tdir_count * datawidth[dp->tdir_type];
+		space = TIFFSafeMultiply(int, dp->tdir_count, datawidth[dp->tdir_type]);
 		if (space <= 0) {
 			printf(">\n");
 			Error("Invalid count for tag %u", dp->tdir_tag);
@@ -638,7 +643,7 @@ TIFFFetchData(int fd, TIFFDirEntry* dir, void* cp)
 	w = (dir->tdir_type < NWIDTHS ? datawidth[dir->tdir_type] : 0);
 	cc = dir->tdir_count * w;
 	if (lseek(fd, (off_t)dir->tdir_offset, 0) != (off_t)-1
-	    && read(fd, cp, cc) != -1) {
+	    && read(fd, cp, cc) == cc) {
 		if (swabflag) {
 			switch (dir->tdir_type) {
 			case TIFF_SHORT: