| https://codereview.chromium.org/2405693002 |
| https://crbug.com/654169 |
| https://pdfium.googlesource.com/pdfium/+/master/libtiff/ |
| |
| Author: stackexploit <stackexploit@gmail.com> |
| Date: Mon Oct 10 10:58:25 2016 -0700 |
| |
| libtiff: Prevent a buffer overflow in function ChopUpSingleUncompressedStrip. |
| |
| The patch (https://codereview.chromium.org/2284063002) for Issue 618267 |
| was insufficient. The integer overflow still could be triggered and could |
| lead to heap buffer overflow. |
| |
| This CL strengthens integer overflow check in function _TIFFCheckRealloc. |
| |
| --- a/libtiff/tif_aux.c |
| +++ b/libtiff/tif_aux.c |
| @@ -69,7 +69,7 @@ _TIFFCheckRealloc(TIFF* tif, void* buffer, |
| /* |
| * XXX: Check for integer overflow. |
| */ |
| - if (nmemb && elem_size && !_TIFFIfMultiplicationOverflow(nmemb, elem_size)) |
| + if (nmemb > 0 && elem_size > 0 && !_TIFFIfMultiplicationOverflow(nmemb, elem_size)) |
| cp = _TIFFrealloc(buffer, bytes); |
| |
| if (cp == NULL) { |