ByteCountLooksBad and EstimateStripByteCounts: avoid unsigned integer overflows. Fixes https://oss-fuzz.com/testcase-detail/5686156066291712 and https://oss-fuzz.com/testcase-detail/6332499206078464

This commit is contained in:
Even Rouault 2019-09-03 20:15:41 +02:00
parent 6de57f7e0f
commit 3519ab6c7f
No known key found for this signature in database
GPG Key ID: 33EBBFC47B3DD87D

View File

@ -3551,9 +3551,17 @@ static int ByteCountLooksBad(TIFF* tif)
filesize = TIFFGetFileSize(tif); filesize = TIFFGetFileSize(tif);
if( offset <= filesize && bytecount > filesize - offset ) if( offset <= filesize && bytecount > filesize - offset )
return 1; return 1;
if( tif->tif_mode == O_RDONLY && if( tif->tif_mode == O_RDONLY )
bytecount < TIFFScanlineSize64(tif) * tif->tif_dir.td_imagelength) {
return 1; uint64 scanlinesize = TIFFScanlineSize64(tif);
if( tif->tif_dir.td_imagelength > 0 &&
scanlinesize > TIFF_UINT64_MAX / tif->tif_dir.td_imagelength )
{
return 1;
}
if( bytecount < scanlinesize * tif->tif_dir.td_imagelength)
return 1;
}
return 0; return 0;
} }
@ -4573,6 +4581,8 @@ EstimateStripByteCounts(TIFF* tif, TIFFDirEntry* dir, uint16 dircount)
* of data in the strip and trim this number back accordingly. * of data in the strip and trim this number back accordingly.
*/ */
strip--; strip--;
if (td->td_stripoffset_p[strip] > TIFF_UINT64_MAX - td->td_stripbytecount_p[strip])
return -1;
if (td->td_stripoffset_p[strip]+td->td_stripbytecount_p[strip] > filesize) { if (td->td_stripoffset_p[strip]+td->td_stripbytecount_p[strip] > filesize) {
if( td->td_stripoffset_p[strip] >= filesize ) { if( td->td_stripoffset_p[strip] >= filesize ) {
/* Not sure what we should in that case... */ /* Not sure what we should in that case... */