1 --- libtiff/tif_getimage.c.orig	2012-04-19 08:49:47.367361776 +0100

     2 +++ libtiff/tif_getimage.c	2012-04-19 09:42:41.967552598 +0100

     3 @@ -673,18 +673,24 @@

     4  	unsigned char* p2;

     5  	unsigned char* pa;

     6  	tsize_t tilesize;

     7 +	tsize_t bufsize;

     8  	int32 fromskew, toskew;

     9  	int alpha = img->alpha;

    10  	uint32 nrow;

    11  	int ret = 1, flip;

    12  

    13  	tilesize = TIFFTileSize(tif);

    14 -	buf = (unsigned char*) _TIFFmalloc((alpha?4:3)*tilesize);

    15 +	bufsize = TIFFSafeMultiply(tsize_t,alpha?4:3,tilesize);

    16 +	if (bufsize == 0) {

    17 +		TIFFErrorExt(tif->tif_clientdata, TIFFFileName(tif), "Integer overflow in %s", "gtTileSeparate");

    18 +		return (0);

    19 +	}

    20 +	buf = (unsigned char*) _TIFFmalloc(bufsize);

    21  	if (buf == 0) {

    22  		TIFFErrorExt(tif->tif_clientdata, TIFFFileName(tif), "No space for tile buffer");

    23  		return (0);

    24  	}

    25 -	_TIFFmemset(buf, 0, (alpha?4:3)*tilesize);

    26 +	_TIFFmemset(buf, 0, bufsize);

    27  	p0 = buf;

    28  	p1 = p0 + tilesize;

    29  	p2 = p1 + tilesize;

    30 @@ -880,17 +886,23 @@

    31  	uint32 rowsperstrip, offset_row;

    32  	uint32 imagewidth = img->width;

    33  	tsize_t stripsize;

    34 +	tsize_t bufsize;

    35  	int32 fromskew, toskew;

    36  	int alpha = img->alpha;

    37  	int ret = 1, flip;

    38  

    39  	stripsize = TIFFStripSize(tif);

    40 -	p0 = buf = (unsigned char *)_TIFFmalloc((alpha?4:3)*stripsize);

    41 +	bufsize = TIFFSafeMultiply(tsize_t,alpha?4:3,stripsize);

    42 +	if (bufsize == 0) {

    43 +		TIFFErrorExt(tif->tif_clientdata, TIFFFileName(tif), "Integer overflow in %s", "gtStripSeparate");

    44 +		return (0);

    45 +	}

    46 +	p0 = buf = (unsigned char *)_TIFFmalloc(bufsize);

    47  	if (buf == 0) {

    48  		TIFFErrorExt(tif->tif_clientdata, TIFFFileName(tif), "No space for tile buffer");

    49  		return (0);

    50  	}

    51 -	_TIFFmemset(buf, 0, (alpha?4:3)*stripsize);

    52 +	_TIFFmemset(buf, 0, bufsize);

    53  	p1 = p0 + stripsize;

    54  	p2 = p1 + stripsize;

    55  	pa = (alpha?(p2+stripsize):NULL);

    56 --- libtiff/tiffiop.h.orig	2012-04-19 08:50:17.752392827 +0100

    57 +++ libtiff/tiffiop.h	2012-04-19 08:50:51.586979922 +0100

    58 @@ -246,7 +246,7 @@

    59  #define	TIFFroundup(x, y) (TIFFhowmany(x,y)*(y))

    60  

    61  /* Safe multiply which returns zero if there is an integer overflow */

    62 -#define TIFFSafeMultiply(t,v,m) ((((t)m != (t)0) && (((t)((v*m)/m)) == (t)v)) ? (t)(v*m) : (t)0)

    63 +#define TIFFSafeMultiply(t,v,m) ((((t)(m) != (t)0) && (((t)(((v)*(m))/(m))) == (t)(v))) ? (t)((v)*(m)) : (t)0)

    64  

    65  #define TIFFmax(A,B) ((A)>(B)?(A):(B))

    66  #define TIFFmin(A,B) ((A)<(B)?(A):(B))