From 5beedebb828f9dcfcd614abc81926025e039c6cd Mon Sep 17 00:00:00 2001 From: Vadim Zeitlin Date: Tue, 2 Jun 2009 13:51:26 +0000 Subject: [PATCH] check for integer overflow which could result in buffer overrun when loading an invalid TIFF file git-svn-id: https://svn.wxwidgets.org/svn/wx/wxWidgets/trunk@60876 c3d73ce0-8a6f-49c7-b76d-6d57e0e08775 --- src/common/imagtiff.cpp | 16 +++++++++++++--- 1 file changed, 13 insertions(+), 3 deletions(-) diff --git a/src/common/imagtiff.cpp b/src/common/imagtiff.cpp index fed6679246..0df1139d8f 100644 --- a/src/common/imagtiff.cpp +++ b/src/common/imagtiff.cpp @@ -286,7 +286,6 @@ bool wxTIFFHandler::LoadFile( wxImage *image, wxInputStream& stream, bool verbos } uint32 w, h; - uint32 npixels; uint32 *raster; TIFFGetField( tif, TIFFTAG_IMAGEWIDTH, &w ); @@ -300,9 +299,20 @@ bool wxTIFFHandler::LoadFile( wxImage *image, wxInputStream& stream, bool verbos (samplesInfo[0] == EXTRASAMPLE_ASSOCALPHA || samplesInfo[0] == EXTRASAMPLE_UNASSALPHA)); - npixels = w * h; + // guard against integer overflow during multiplication which could result + // in allocating a too small buffer and then overflowing it + const double bytesNeeded = w * h * sizeof(uint32); + if ( bytesNeeded >= wxUINT32_MAX ) + { + if ( verbose ) + wxLogError( _("TIFF: Image size is abnormally big.") ); - raster = (uint32*) _TIFFmalloc( npixels * sizeof(uint32) ); + TIFFClose(tif); + + return false; + } + + raster = (uint32*) _TIFFmalloc( bytesNeeded ); if (!raster) {