cheng/libtiff
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

_TIFFPartialReadStripArray(): avoid triggering unsigned integer overflow with -fsanitize=unsigned-integer-overflow (not a bug, this is well defined by itself)

Browse Source
This commit is contained in:
Even Rouault 2019-08-20 15:29:06 +02:00
parent b04da30e11
commit dd50fedc2f
No known key found for this signature in database
GPG Key ID: 33EBBFC47B3DD87D
1 changed files with 8 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
libtiff/tif_dirread.c
View File

@ -5958,6 +5958,13 @@ static void TryChopUpUncompressedBigTiff( TIFF* tif )
allocChoppedUpStripArrays(tif, nstrips, stripbytes, rowsperstrip); allocChoppedUpStripArrays(tif, nstrips, stripbytes, rowsperstrip);
} }
TIFF_NOSANITIZE_UNSIGNED_INT_OVERFLOW
static uint64 _TIFFUnsanitizedAddUInt64AndInt(uint64 a, int b)
{
return a + b;
}
/* Read the value of [Strip|Tile]Offset or [Strip|Tile]ByteCount around /* Read the value of [Strip|Tile]Offset or [Strip|Tile]ByteCount around
* strip/tile of number strile. Also fetch the neighbouring values using a * strip/tile of number strile. Also fetch the neighbouring values using a
* 4096 byte page size. * 4096 byte page size.
@ -6059,7 +6066,7 @@ int _TIFFPartialReadStripArray( TIFF* tif, TIFFDirEntry* dirent,
iStartBefore = -strile; iStartBefore = -strile;
for( i = iStartBefore; for( i = iStartBefore;
(uint32)(strile + i) < arraySize && (uint32)(strile + i) < arraySize &&
(uint64)(nOffset) + (i + 1) * sizeofvalint <= nOffsetEndPage; _TIFFUnsanitizedAddUInt64AndInt(nOffset, (i + 1) * sizeofvalint) <= nOffsetEndPage;
++i ) ++i )
{ {
if( sizeofval == sizeof(uint16) ) if( sizeofval == sizeof(uint16) )