diff options
| author | erouault <erouault> | 2017-05-13 18:29:38 +0000 |
|---|---|---|
| committer | erouault <erouault> | 2017-05-13 18:29:38 +0000 |
| commit | c240ce2bb162bd80f4396b3a3738690136ab6c93 (patch) | |
| tree | 313a44aedc643b58c2e80c19ccf5743c4a7eb48d | |
| parent | 4f9ffe043b649cdd3230cfd402e3d3125e224306 (diff) | |
| download | libtiff-c240ce2bb162bd80f4396b3a3738690136ab6c93.tar.gz | |
* libtiff/tif_pixarlog.c, tif_luv.c: avoid potential int32
overflows in multiply_ms() and add_ms().
Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=1558
Credit to OSS-Fuzz
| -rw-r--r-- | ChangeLog | 7 | ||||
| -rw-r--r-- | libtiff/tif_luv.c | 15 | ||||
| -rw-r--r-- | libtiff/tif_pixarlog.c | 24 |
3 files changed, 26 insertions, 20 deletions
@@ -1,5 +1,12 @@ 2017-05-13 Even Rouault <even.rouault at spatialys.com> + * libtiff/tif_pixarlog.c, tif_luv.c: avoid potential int32 + overflows in multiply_ms() and add_ms(). + Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=1558 + Credit to OSS-Fuzz + +2017-05-13 Even Rouault <even.rouault at spatialys.com> + * libtiff/tif_color.c: avoid potential int32 overflow in TIFFYCbCrToRGBInit() Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=1533 diff --git a/libtiff/tif_luv.c b/libtiff/tif_luv.c index 1f6d8ba3..08d8b4f3 100644 --- a/libtiff/tif_luv.c +++ b/libtiff/tif_luv.c @@ -1,4 +1,4 @@ -/* $Id: tif_luv.c,v 1.45 2017-01-11 20:33:35 erouault Exp $ */ +/* $Id: tif_luv.c,v 1.46 2017-05-13 18:29:38 erouault Exp $ */ /* * Copyright (c) 1997 Greg Ward Larson @@ -1264,15 +1264,16 @@ LogL16GuessDataFmt(TIFFDirectory *td) return (SGILOGDATAFMT_UNKNOWN); } + +#define TIFF_SIZE_T_MAX ((size_t) ~ ((size_t)0)) +#define TIFF_TMSIZE_T_MAX (tmsize_t)(TIFF_SIZE_T_MAX >> 1) + static tmsize_t multiply_ms(tmsize_t m1, tmsize_t m2) { - tmsize_t bytes = m1 * m2; - - if (m1 && bytes / m1 != m2) - bytes = 0; - - return bytes; + if( m1 == 0 || m2 > TIFF_TMSIZE_T_MAX / m1 ) + return 0; + return m1 * m2; } static int diff --git a/libtiff/tif_pixarlog.c b/libtiff/tif_pixarlog.c index ae84fff5..4b62f4b6 100644 --- a/libtiff/tif_pixarlog.c +++ b/libtiff/tif_pixarlog.c @@ -1,4 +1,4 @@ -/* $Id: tif_pixarlog.c,v 1.51 2017-05-10 15:21:16 erouault Exp $ */ +/* $Id: tif_pixarlog.c,v 1.52 2017-05-13 18:29:38 erouault Exp $ */ /* * Copyright (c) 1996-1997 Sam Leffler @@ -636,29 +636,27 @@ PixarLogGuessDataFmt(TIFFDirectory *td) return guess; } +#define TIFF_SIZE_T_MAX ((size_t) ~ ((size_t)0)) +#define TIFF_TMSIZE_T_MAX (tmsize_t)(TIFF_SIZE_T_MAX >> 1) + static tmsize_t multiply_ms(tmsize_t m1, tmsize_t m2) { - tmsize_t bytes = m1 * m2; - - if (m1 && bytes / m1 != m2) - bytes = 0; - - return bytes; + if( m1 == 0 || m2 > TIFF_TMSIZE_T_MAX / m1 ) + return 0; + return m1 * m2; } static tmsize_t add_ms(tmsize_t m1, tmsize_t m2) { - tmsize_t bytes = m1 + m2; - /* if either input is zero, assume overflow already occurred */ if (m1 == 0 || m2 == 0) - bytes = 0; - else if (bytes <= m1 || bytes <= m2) - bytes = 0; + return 0; + else if (m1 > TIFF_TMSIZE_T_MAX - m2) + return 0; - return bytes; + return m1 + m2; } static int |