diff options
author | dron <dron> | 2010-07-07 14:02:56 +0000 |
---|---|---|
committer | dron <dron> | 2010-07-07 14:02:56 +0000 |
commit | 26acf5909577e7f7d7385a210b3e9afbdeca2d1a (patch) | |
tree | 2bd5ad89c75c9bf2832b9a78090ce7b6efd97315 | |
parent | 2f16cfe603f84bb97864366027d3c0745cb24580 (diff) | |
download | libtiff-26acf5909577e7f7d7385a210b3e9afbdeca2d1a.tar.gz |
Avoid integer overflows computing the buffer size for large directories. As
per bug http://bugzilla.maptools.org/show_bug.cgi?id=2218
-rw-r--r-- | ChangeLog | 6 | ||||
-rw-r--r-- | tools/tiffdump.c | 11 |
2 files changed, 14 insertions, 3 deletions
@@ -1,3 +1,9 @@ +2010-07-07 Andrey Kiselev <dron@ak4719.spb.edu> + + * tools/tiffdump.c: Avoid integer overflows computing the buffer size + for large directories. As per bug + http://bugzilla.maptools.org/show_bug.cgi?id=2218 + 2010-07-06 Andrey Kiselev <dron@ak4719.spb.edu> * tools/tiffset.c: Properly handle TIFFTAG_PAGENUMBER, diff --git a/tools/tiffdump.c b/tools/tiffdump.c index 8f9461ce..3be72420 100644 --- a/tools/tiffdump.c +++ b/tools/tiffdump.c @@ -1,4 +1,4 @@ -/* $Id: tiffdump.c,v 1.13.2.3 2010-07-02 11:03:25 dron Exp $ */ +/* $Id: tiffdump.c,v 1.13.2.4 2010-07-07 14:02:56 dron Exp $ */ /* * Copyright (c) 1988-1997 Sam Leffler @@ -52,6 +52,11 @@ # define O_BINARY 0 #endif +/* Safe multiply which returns zero if there is an integer overflow */ +#ifndef TIFFSafeMultiply +# define TIFFSafeMultiply(t,v,m) ((((t)m != (t)0) && (((t)((v*m)/m)) == (t)v)) ? (t)(v*m) : (t)0) +#endif + char* appname; char* curfile; int swabflag; @@ -314,7 +319,7 @@ ReadDirectory(int fd, unsigned ix, off_t off) printf(">\n"); continue; } - space = dp->tdir_count * datawidth[dp->tdir_type]; + space = TIFFSafeMultiply(int, dp->tdir_count, datawidth[dp->tdir_type]); if (space <= 0) { printf(">\n"); Error("Invalid count for tag %u", dp->tdir_tag); @@ -638,7 +643,7 @@ TIFFFetchData(int fd, TIFFDirEntry* dir, void* cp) w = (dir->tdir_type < NWIDTHS ? datawidth[dir->tdir_type] : 0); cc = dir->tdir_count * w; if (lseek(fd, (off_t)dir->tdir_offset, 0) != (off_t)-1 - && read(fd, cp, cc) != -1) { + && read(fd, cp, cc) == cc) { if (swabflag) { switch (dir->tdir_type) { case TIFF_SHORT: |