From 53c7c58dd74f1f3560da019e6b37500ae1e8d112 Mon Sep 17 00:00:00 2001 From: Bob Friesenhahn Date: Mon, 22 Dec 2014 02:52:38 +0000 Subject: [PATCH] * tools/tiffdump.c: Guard against arithmetic overflow when calculating allocation buffer sizes. --- ChangeLog | 5 +++++ tools/tiffdump.c | 23 +++++++++++++++++++---- 2 files changed, 24 insertions(+), 4 deletions(-) diff --git a/ChangeLog b/ChangeLog index e796feb3..555c0716 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,8 @@ +2014-12-21 Bob Friesenhahn + + * tools/tiffdump.c: Guard against arithmetic overflow when + calculating allocation buffer sizes. + 2014-12-21 Even Rouault * tools/tiff2bw.c: when Photometric=RGB, the utility only works if diff --git a/tools/tiffdump.c b/tools/tiffdump.c index 12a1e587..f490d85f 100644 --- a/tools/tiffdump.c +++ b/tools/tiffdump.c @@ -1,4 +1,4 @@ -/* $Id: tiffdump.c,v 1.29 2014-12-21 15:15:32 erouault Exp $ */ +/* $Id: tiffdump.c,v 1.30 2014-12-22 02:52:38 bfriesen Exp $ */ /* * Copyright (c) 1988-1997 Sam Leffler @@ -34,6 +34,8 @@ # include #endif +#include "tiffiop.h" + #ifdef HAVE_FCNTL_H # include #endif @@ -233,8 +235,21 @@ dump(int fd, uint64 diroff) Fatal("Cycle detected in chaining of TIFF directories!"); } } - visited_diroff = (uint64*) realloc(visited_diroff, - (count_visited_dir + 1) * sizeof(uint64)); + { + size_t alloc_size; + alloc_size=TIFFSafeMultiply(tmsize_t,(count_visited_dir + 1), + sizeof(uint64)); + if (alloc_size == 0) + { + if (visited_diroff) + free(visited_diroff); + visited_diroff = 0; + } + else + { + visited_diroff = (uint64*) realloc(visited_diroff,alloc_size); + } + } if( !visited_diroff ) Fatal("Out of memory"); visited_diroff[count_visited_dir] = diroff; @@ -322,7 +337,7 @@ ReadDirectory(int fd, unsigned int ix, uint64 off) dircount = (uint16)dircount64; direntrysize = 20; } - dirmem = _TIFFmalloc(dircount * direntrysize); + dirmem = _TIFFmalloc(TIFFSafeMultiply(tmsize_t,dircount,direntrysize)); if (dirmem == NULL) { Fatal("No space for TIFF directory"); goto done;