| https://codereview.chromium.org/2284063002 |
| https://crbug.com/618267 |
| https://pdfium.googlesource.com/pdfium/+/master/libtiff/ |
| |
| Author: tracy_jiang <tracy_jiang@foxitsoftware.com> |
| Date: Mon Aug 29 13:42:56 2016 -0700 |
| |
| Fix for #618267. Adding a method to determine if multiplication has |
| overflow. |
| |
| --- a/libtiff/tif_aux.c |
| +++ b/libtiff/tif_aux.c |
| @@ -69,7 +69,7 @@ _TIFFCheckRealloc(TIFF* tif, void* buffer, |
| /* |
| * XXX: Check for integer overflow. |
| */ |
| - if (nmemb && elem_size && bytes / elem_size == nmemb) |
| + if (nmemb && elem_size && !_TIFFIfMultiplicationOverflow(nmemb, elem_size)) |
| cp = _TIFFrealloc(buffer, bytes); |
| |
| if (cp == NULL) { |
| --- a/libtiff/tiffiop.h |
| +++ b/libtiff/tiffiop.h |
| @@ -315,6 +315,9 @@ typedef size_t TIFFIOSize_t; |
| #define _TIFF_off_t off_t |
| #endif |
| |
| +#include <limits.h> |
| +#define _TIFFIfMultiplicationOverflow(op1, op2) ((op1) > SSIZE_MAX / (op2)) |
| + |
| #if defined(__cplusplus) |
| extern "C" { |
| #endif |