Potential memory leak fixed in _TIFFVSetField(). Fixed possible integer

overflow _TIFFset*Array() functions (Dmitry V. Levin).
2004-09-25 11:05:58 +00:00 · 2004-09-25 11:05:58 +00:00 · ba180e90d5
commit ba180e90d5
parent 9da27e9da7
1 changed files with 38 additions and 22 deletions
--- a/libtiff/tif_dir.c
+++ b/libtiff/tif_dir.c
@ -1,4 +1,4 @@
-/* $Id: tif_dir.c,v 1.37 2004-09-21 14:44:06 dron Exp $ */
+/* $Id: tif_dir.c,v 1.38 2004-09-25 11:05:58 dron Exp $ */

 /*
 * Copyright (c) 1988-1997 Sam Leffler
@ -40,26 +40,33 @@
 #define DATATYPE_UINT		2       /* !unsigned integer data */
 #define DATATYPE_IEEEFP		3       /* !IEEE floating point data */

-void
-_TIFFsetByteArray(void** vpp, void* vp, long n)
+static void
+setByteArray(void** vpp, void* vp, size_t nmemb, size_t elem_size)
 {
 	if (*vpp)
 		_TIFFfree(*vpp), *vpp = 0;
-	if (vp && (*vpp = (void*) _TIFFmalloc(n)))
-		_TIFFmemcpy(*vpp, vp, n);
+	if (vp) {
+		tsize_t	bytes = nmemb * elem_size;
+		if (elem_size && bytes / elem_size == nmemb)
+			*vpp = (void*) _TIFFmalloc(bytes);
+		if (*vpp)
+			_TIFFmemcpy(*vpp, vp, bytes);
+	}
 }
+void _TIFFsetByteArray(void** vpp, void* vp, long n)
+    { setByteArray(vpp, vp, n, 1); }
 void _TIFFsetString(char** cpp, char* cp)
-    { _TIFFsetByteArray((void**) cpp, (void*) cp, (long) (strlen(cp)+1)); }
+    { setByteArray((void**) cpp, (void*) cp, strlen(cp)+1, 1); }
 void _TIFFsetNString(char** cpp, char* cp, long n)
-    { _TIFFsetByteArray((void**) cpp, (void*) cp, n); }
+    { setByteArray((void**) cpp, (void*) cp, n, 1); }
 void _TIFFsetShortArray(uint16** wpp, uint16* wp, long n)
-    { _TIFFsetByteArray((void**) wpp, (void*) wp, n*sizeof (uint16)); }
+    { setByteArray((void**) wpp, (void*) wp, n, sizeof (uint16)); }
 void _TIFFsetLongArray(uint32** lpp, uint32* lp, long n)
-    { _TIFFsetByteArray((void**) lpp, (void*) lp, n*sizeof (uint32)); }
+    { setByteArray((void**) lpp, (void*) lp, n, sizeof (uint32)); }
 void _TIFFsetFloatArray(float** fpp, float* fp, long n)
-    { _TIFFsetByteArray((void**) fpp, (void*) fp, n*sizeof (float)); }
+    { setByteArray((void**) fpp, (void*) fp, n, sizeof (float)); }
 void _TIFFsetDoubleArray(double** dpp, double* dp, long n)
-    { _TIFFsetByteArray((void**) dpp, (void*) dp, n*sizeof (double)); }
+    { setByteArray((void**) dpp, (void*) dp, n, sizeof (double)); }

 /*
 * Install extra samples information.
@ -521,14 +528,21 @@ _TIFFVSetField(TIFF* tif, ttag_t tag, va_list ap)
             */
            if( tv == NULL )
            {
-                td->td_customValueCount++;
-                if( td->td_customValueCount > 1 )
-                    td->td_customValues = (TIFFTagValue *)
-                        _TIFFrealloc(td->td_customValues,
-                                     sizeof(TIFFTagValue) * td->td_customValueCount);
-                else
-                    td->td_customValues = (TIFFTagValue *)
-                        _TIFFmalloc(sizeof(TIFFTagValue));
+		TIFFTagValue	*new_customValues;
+		
+		td->td_customValueCount++;
+		new_customValues = (TIFFTagValue *)
+			_TIFFrealloc(td->td_customValues,
+				     sizeof(TIFFTagValue) * td->td_customValueCount);
+		if (!new_customValues) {
+			TIFFError(module,
+		"%s: Failed to allocate space for list of custom values",
+				  tif->tif_name);
+			status = 0;
+			goto end;
+		}
+
+		td->td_customValues = new_customValues;

                tv = td->td_customValues + (td->td_customValueCount-1);
                tv->info = fip;
@ -586,20 +600,22 @@ _TIFFVSetField(TIFF* tif, ttag_t tag, va_list ap)
            TIFFSetFieldBit(tif, _TIFFFieldWithTag(tif, tag)->field_bit);
            tif->tif_flags |= TIFF_DIRTYDIRECT;
 	}
+
+end:
 	va_end(ap);
 	return (status);
 badvalue:
-	TIFFError(module, "%.1000s: Bad value %d for \"%s\"",
+	TIFFError(module, "%s: Bad value %d for \"%s\"",
 		  tif->tif_name, v, _TIFFFieldWithTag(tif, tag)->field_name);
 	va_end(ap);
 	return (0);
 badvalue32:
-	TIFFError(module, "%.1000s: Bad value %ld for \"%s\"",
+	TIFFError(module, "%s: Bad value %ld for \"%s\"",
 		   tif->tif_name, v32, _TIFFFieldWithTag(tif, tag)->field_name);
 	va_end(ap);
 	return (0);
 badvaluedbl:
-	TIFFError(module, "%.1000s: Bad value %f for \"%s\"",
+	TIFFError(module, "%s: Bad value %f for \"%s\"",
 		  tif->tif_name, d, _TIFFFieldWithTag(tif, tag)->field_name);
 	va_end(ap);
 	return (0);