Google Git
Sign in
cos / mirrors / cros / chromiumos / overlays / portage-stable / refs/heads/stabilize-11895.118.B / . / media-libs / tiff / files / tiff-4.0.7-pdfium-0006-HeapBufferOverflow-ChopUpSingleUncompressedStrip.patch
blob: a45ee342f779967a171a41265d1f2e71897329aa [file] [log] [blame]
https://codereview.chromium.org/2284063002
https://crbug.com/618267
https://pdfium.googlesource.com/pdfium/+/master/libtiff/
Author: tracy_jiang <tracy_jiang@foxitsoftware.com>
Date: Mon Aug 29 13:42:56 2016 -0700
Fix for #618267. Adding a method to determine if multiplication has
overflow.
--- a/libtiff/tif_aux.c
+++ b/libtiff/tif_aux.c
@@ -69,7 +69,7 @@ _TIFFCheckRealloc(TIFF* tif, void* buffer,
/*
* XXX: Check for integer overflow.
*/
- if (nmemb && elem_size && bytes / elem_size == nmemb)
+ if (nmemb && elem_size && !_TIFFIfMultiplicationOverflow(nmemb, elem_size))
cp = _TIFFrealloc(buffer, bytes);
if (cp == NULL) {
--- a/libtiff/tiffiop.h
+++ b/libtiff/tiffiop.h
@@ -315,6 +315,9 @@ typedef size_t TIFFIOSize_t;
#define _TIFF_off_t off_t
#endif
+#include <limits.h>
+#define _TIFFIfMultiplicationOverflow(op1, op2) ((op1) > SSIZE_MAX / (op2))
+
#if defined(__cplusplus)
extern "C" {
#endif