Detect integer overflow in addition when computing buffer size.

This commit is contained in:
Tom Lane 2012-12-10 17:27:13 +00:00
parent 74295b7487
commit bff7f45716
2 changed files with 25 additions and 2 deletions

View File

@ -1,3 +1,10 @@
2012-12-10 Tom Lane <tgl@sss.pgh.pa.us>
* libtiff/tif_pixarlog.c: Improve previous patch for CVE-2012-4447
(to enlarge tbuf for possible partial stride at end) so that
overflow in the integer addition is detected. Per gripe from
Huzaifa Sidhpurwala.
2012-12-03 Bob Friesenhahn <bfriesen@simple.dallas.tx.us>
* tools/tiffset.c: tiffset now supports a -u option to unset a

View File

@ -1,4 +1,4 @@
/* $Id: tif_pixarlog.c,v 1.38 2012-06-21 01:01:53 fwarmerdam Exp $ */
/* $Id: tif_pixarlog.c,v 1.39 2012-12-10 17:27:13 tgl Exp $ */
/*
* Copyright (c) 1996-1997 Sam Leffler
@ -644,6 +644,20 @@ multiply_ms(tmsize_t m1, tmsize_t m2)
return bytes;
}
static tmsize_t
add_ms(tmsize_t m1, tmsize_t m2)
{
tmsize_t bytes = m1 + m2;
/* if either input is zero, assume overflow already occurred */
if (m1 == 0 || m2 == 0)
bytes = 0;
else if (bytes <= m1 || bytes <= m2)
bytes = 0;
return bytes;
}
static int
PixarLogFixupTags(TIFF* tif)
{
@ -671,9 +685,11 @@ PixarLogSetupDecode(TIFF* tif)
td->td_samplesperpixel : 1);
tbuf_size = multiply_ms(multiply_ms(multiply_ms(sp->stride, td->td_imagewidth),
td->td_rowsperstrip), sizeof(uint16));
/* add one more stride in case input ends mid-stride */
tbuf_size = add_ms(tbuf_size, sizeof(uint16) * sp->stride);
if (tbuf_size == 0)
return (0); /* TODO: this is an error return without error report through TIFFErrorExt */
sp->tbuf = (uint16 *) _TIFFmalloc(tbuf_size+sizeof(uint16)*sp->stride);
sp->tbuf = (uint16 *) _TIFFmalloc(tbuf_size);
if (sp->tbuf == NULL)
return (0);
if (sp->user_datafmt == PIXARLOGDATAFMT_UNKNOWN)