* contrib/addtiffo/tif_overview.c (TIFF_DownSample): Check buffer

size calculation for overflow.

ChangeLog

@@ -1,5 +1,8 @@
 2015-05-30  Bob Friesenhahn  <bfriesen@simple.dallas.tx.us>
 
+	* contrib/addtiffo/tif_overview.c (TIFF_DownSample): Check buffer
+	size calculation for overflow.
+
 	* contrib/addtiffo/addtiffo.c (main): Possibly address Coverity
 	1024226 "Untrusted value as argument".
 

contrib/addtiffo/tif_overview.c

@@ -272,10 +272,27 @@ void TIFF_DownSample( unsigned char *pabySrcTile,
     int		nPixelGroupBytes = (nBitsPerPixel+nPixelSkewBits)/8;
     unsigned char *pabySrc, *pabyDst;
     double      *padfSamples;
+    size_t      tpadfSamples_size, padfSamples_size;
 
     assert( nBitsPerPixel >= 8 );
 
-    padfSamples = (double *) malloc(sizeof(double) * nOMult * nOMult);
+    /* sizeof(double) * nOMult * nOMult */
+    tpadfSamples_size=nOMult*nOMult;
+    if ((nOMult != 0) && (tpadfSamples_size/nOMult == (size_t) nOMult)) {
+        padfSamples_size=tpadfSamples_size;
+        tpadfSamples_size=padfSamples_size*sizeof(double);
+        if ((tpadfSamples_size / padfSamples_size) == sizeof(double))
+            padfSamples_size=tpadfSamples_size;
+        else
+            padfSamples_size=0;
+    } else {
+        padfSamples_size=0;
+    }
+    if (padfSamples_size == 0) {
+        /* TODO: This is an error condition */
+        return;
+    }
+    padfSamples = (double *) malloc(padfSamples_size);
 
 /* ==================================================================== */
 /*      Loop over scanline chunks to process, establishing where the    */
@@ -893,7 +910,7 @@ void TIFFBuildOverviews( TIFF *hTIFF, int nOverviews, int * panOvList,
 /*
  * Local Variables:
  * mode: c
- * c-basic-offset: 8
+ * c-basic-offset: 4
  * fill-column: 78
  * End:
  */