From 981e43ecae83935625c86c9118c0778c942c7048 Mon Sep 17 00:00:00 2001 From: Even Rouault Date: Wed, 15 Aug 2018 16:34:40 +0200 Subject: [PATCH] TIFFSetupStrips(): avoid potential uint32 overflow on 32-bit systems with large number of strips. Probably relates to http://bugzilla.maptools.org/show_bug.cgi?id=2788 / CVE-2018-10779 --- libtiff/tif_write.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/libtiff/tif_write.c b/libtiff/tif_write.c index 586f6fdf..a31ecd12 100644 --- a/libtiff/tif_write.c +++ b/libtiff/tif_write.c @@ -538,9 +538,11 @@ TIFFSetupStrips(TIFF* tif) if (td->td_planarconfig == PLANARCONFIG_SEPARATE) td->td_stripsperimage /= td->td_samplesperpixel; td->td_stripoffset = (uint64 *) - _TIFFmalloc(td->td_nstrips * sizeof (uint64)); + _TIFFCheckMalloc(tif, td->td_nstrips, sizeof (uint64), + "for \"StripOffsets\" array"); td->td_stripbytecount = (uint64 *) - _TIFFmalloc(td->td_nstrips * sizeof (uint64)); + _TIFFCheckMalloc(tif, td->td_nstrips, sizeof (uint64), + "for \"StripByteCounts\" array"); if (td->td_stripoffset == NULL || td->td_stripbytecount == NULL) return (0); /*