diff options
author | bfriesen <bfriesen> | 2014-12-22 02:52:38 +0000 |
---|---|---|
committer | bfriesen <bfriesen> | 2014-12-22 02:52:38 +0000 |
commit | b3cef68ef6916c71413fa460a2908bcacb19bc7b (patch) | |
tree | c25266436dc729ba6dc55fafcdcce1c26c9e9b31 /tools | |
parent | 70e21d5e3fe2c71628bf09b775c3b33f31076fee (diff) | |
download | libtiff-b3cef68ef6916c71413fa460a2908bcacb19bc7b.tar.gz |
* tools/tiffdump.c: Guard against arithmetic overflow when
calculating allocation buffer sizes.
Diffstat (limited to 'tools')
-rw-r--r-- | tools/tiffdump.c | 23 |
1 files changed, 19 insertions, 4 deletions
diff --git a/tools/tiffdump.c b/tools/tiffdump.c index 12a1e587..f490d85f 100644 --- a/tools/tiffdump.c +++ b/tools/tiffdump.c @@ -1,4 +1,4 @@ -/* $Id: tiffdump.c,v 1.29 2014-12-21 15:15:32 erouault Exp $ */ +/* $Id: tiffdump.c,v 1.30 2014-12-22 02:52:38 bfriesen Exp $ */ /* * Copyright (c) 1988-1997 Sam Leffler @@ -34,6 +34,8 @@ # include <unistd.h> #endif +#include "tiffiop.h" + #ifdef HAVE_FCNTL_H # include <fcntl.h> #endif @@ -233,8 +235,21 @@ dump(int fd, uint64 diroff) Fatal("Cycle detected in chaining of TIFF directories!"); } } - visited_diroff = (uint64*) realloc(visited_diroff, - (count_visited_dir + 1) * sizeof(uint64)); + { + size_t alloc_size; + alloc_size=TIFFSafeMultiply(tmsize_t,(count_visited_dir + 1), + sizeof(uint64)); + if (alloc_size == 0) + { + if (visited_diroff) + free(visited_diroff); + visited_diroff = 0; + } + else + { + visited_diroff = (uint64*) realloc(visited_diroff,alloc_size); + } + } if( !visited_diroff ) Fatal("Out of memory"); visited_diroff[count_visited_dir] = diroff; @@ -322,7 +337,7 @@ ReadDirectory(int fd, unsigned int ix, uint64 off) dircount = (uint16)dircount64; direntrysize = 20; } - dirmem = _TIFFmalloc(dircount * direntrysize); + dirmem = _TIFFmalloc(TIFFSafeMultiply(tmsize_t,dircount,direntrysize)); if (dirmem == NULL) { Fatal("No space for TIFF directory"); goto done; |