_TIFFMultiply32() / _TIFFMultiply64(): avoid relying on unsigned integer overflow (not a bug)

libtiff/tif_aux.c

@@ -35,27 +35,23 @@
 uint32
 _TIFFMultiply32(TIFF* tif, uint32 first, uint32 second, const char* where)
 {
-	uint32 bytes = first * second;
+	if (second && first > TIFF_UINT32_MAX / second) {
-
-	if (second && bytes / second != first) {
 		TIFFErrorExt(tif->tif_clientdata, where, "Integer overflow in %s", where);
-		bytes = 0;
+		return 0;
 	}
 
-	return bytes;
+	return first * second;
 }
 
 uint64
 _TIFFMultiply64(TIFF* tif, uint64 first, uint64 second, const char* where)
 {
-	uint64 bytes = first * second;
+	if (second && first > TIFF_UINT64_MAX / second) {
-
-	if (second && bytes / second != first) {
 		TIFFErrorExt(tif->tif_clientdata, where, "Integer overflow in %s", where);
-		bytes = 0;
+		return 0;
 	}
 
-	return bytes;
+	return first * second;
 }
 
 tmsize_t

libtiff/tif_dirread.c

@@ -40,16 +40,6 @@
 
 #define FAILED_FII    ((uint32) -1)
 
-/*
- * Largest 32-bit unsigned integer value.
- */
-#define TIFF_UINT32_MAX 0xFFFFFFFFU
-
-/*
- * Largest 64-bit unsigned integer value.
- */
-#define TIFF_UINT64_MAX (((uint64)(TIFF_UINT32_MAX)) << 32 | TIFF_UINT32_MAX)
-
 /*
  * Largest 64-bit signed integer value.
  */

libtiff/tiffiop.h

@@ -80,6 +80,16 @@ extern int snprintf(char* str, size_t size, const char* format, ...);
 #define TIFF_SIZE_T_MAX ((size_t) ~ ((size_t)0))
 #define TIFF_TMSIZE_T_MAX (tmsize_t)(TIFF_SIZE_T_MAX >> 1)
 
+/*
+ * Largest 32-bit unsigned integer value.
+ */
+#define TIFF_UINT32_MAX 0xFFFFFFFFU
+
+/*
+ * Largest 64-bit unsigned integer value.
+ */
+#define TIFF_UINT64_MAX (((uint64)(TIFF_UINT32_MAX)) << 32 | TIFF_UINT32_MAX)
+
 typedef struct client_info {
     struct client_info *next;
     void *data;