22422
|
1 |
--- libtiff/tif_getimage.c.orig 2012-04-19 08:49:47.367361776 +0100
|
|
2 |
+++ libtiff/tif_getimage.c 2012-04-19 09:42:41.967552598 +0100
|
|
3 |
@@ -673,18 +673,24 @@
|
|
4 |
unsigned char* p2;
|
|
5 |
unsigned char* pa;
|
|
6 |
tsize_t tilesize;
|
|
7 |
+ tsize_t bufsize;
|
|
8 |
int32 fromskew, toskew;
|
|
9 |
int alpha = img->alpha;
|
|
10 |
uint32 nrow;
|
|
11 |
int ret = 1, flip;
|
|
12 |
|
|
13 |
tilesize = TIFFTileSize(tif);
|
|
14 |
- buf = (unsigned char*) _TIFFmalloc((alpha?4:3)*tilesize);
|
|
15 |
+ bufsize = TIFFSafeMultiply(tsize_t,alpha?4:3,tilesize);
|
|
16 |
+ if (bufsize == 0) {
|
|
17 |
+ TIFFErrorExt(tif->tif_clientdata, TIFFFileName(tif), "Integer overflow in %s", "gtTileSeparate");
|
|
18 |
+ return (0);
|
|
19 |
+ }
|
|
20 |
+ buf = (unsigned char*) _TIFFmalloc(bufsize);
|
|
21 |
if (buf == 0) {
|
|
22 |
TIFFErrorExt(tif->tif_clientdata, TIFFFileName(tif), "No space for tile buffer");
|
|
23 |
return (0);
|
|
24 |
}
|
|
25 |
- _TIFFmemset(buf, 0, (alpha?4:3)*tilesize);
|
|
26 |
+ _TIFFmemset(buf, 0, bufsize);
|
|
27 |
p0 = buf;
|
|
28 |
p1 = p0 + tilesize;
|
|
29 |
p2 = p1 + tilesize;
|
|
30 |
@@ -880,17 +886,23 @@
|
|
31 |
uint32 rowsperstrip, offset_row;
|
|
32 |
uint32 imagewidth = img->width;
|
|
33 |
tsize_t stripsize;
|
|
34 |
+ tsize_t bufsize;
|
|
35 |
int32 fromskew, toskew;
|
|
36 |
int alpha = img->alpha;
|
|
37 |
int ret = 1, flip;
|
|
38 |
|
|
39 |
stripsize = TIFFStripSize(tif);
|
|
40 |
- p0 = buf = (unsigned char *)_TIFFmalloc((alpha?4:3)*stripsize);
|
|
41 |
+ bufsize = TIFFSafeMultiply(tsize_t,alpha?4:3,stripsize);
|
|
42 |
+ if (bufsize == 0) {
|
|
43 |
+ TIFFErrorExt(tif->tif_clientdata, TIFFFileName(tif), "Integer overflow in %s", "gtStripSeparate");
|
|
44 |
+ return (0);
|
|
45 |
+ }
|
|
46 |
+ p0 = buf = (unsigned char *)_TIFFmalloc(bufsize);
|
|
47 |
if (buf == 0) {
|
|
48 |
TIFFErrorExt(tif->tif_clientdata, TIFFFileName(tif), "No space for tile buffer");
|
|
49 |
return (0);
|
|
50 |
}
|
|
51 |
- _TIFFmemset(buf, 0, (alpha?4:3)*stripsize);
|
|
52 |
+ _TIFFmemset(buf, 0, bufsize);
|
|
53 |
p1 = p0 + stripsize;
|
|
54 |
p2 = p1 + stripsize;
|
|
55 |
pa = (alpha?(p2+stripsize):NULL);
|
|
56 |
--- libtiff/tiffiop.h.orig 2012-04-19 08:50:17.752392827 +0100
|
|
57 |
+++ libtiff/tiffiop.h 2012-04-19 08:50:51.586979922 +0100
|
|
58 |
@@ -246,7 +246,7 @@
|
|
59 |
#define TIFFroundup(x, y) (TIFFhowmany(x,y)*(y))
|
|
60 |
|
|
61 |
/* Safe multiply which returns zero if there is an integer overflow */
|
|
62 |
-#define TIFFSafeMultiply(t,v,m) ((((t)m != (t)0) && (((t)((v*m)/m)) == (t)v)) ? (t)(v*m) : (t)0)
|
|
63 |
+#define TIFFSafeMultiply(t,v,m) ((((t)(m) != (t)0) && (((t)(((v)*(m))/(m))) == (t)(v))) ? (t)((v)*(m)) : (t)0)
|
|
64 |
|
|
65 |
#define TIFFmax(A,B) ((A)>(B)?(A):(B))
|
|
66 |
#define TIFFmin(A,B) ((A)<(B)?(A):(B))
|