88 lines
2.6 KiB
Diff
88 lines
2.6 KiB
Diff
diff -Naur tiff-3.9.2.orig/tools/tiff2rgba.c tiff-3.9.2/tools/tiff2rgba.c
|
|
--- tiff-3.9.2.orig/tools/tiff2rgba.c 2009-08-20 16:23:53.000000000 -0400
|
|
+++ tiff-3.9.2/tools/tiff2rgba.c 2009-12-03 12:19:07.000000000 -0500
|
|
@@ -125,6 +125,17 @@
|
|
return (0);
|
|
}
|
|
|
|
+static tsize_t
|
|
+multiply(tsize_t m1, tsize_t m2)
|
|
+{
|
|
+ tsize_t prod = m1 * m2;
|
|
+
|
|
+ if (m1 && prod / m1 != m2)
|
|
+ prod = 0; /* overflow */
|
|
+
|
|
+ return prod;
|
|
+}
|
|
+
|
|
static int
|
|
cvt_by_tile( TIFF *in, TIFF *out )
|
|
|
|
@@ -134,6 +145,7 @@
|
|
uint32 tile_width, tile_height;
|
|
uint32 row, col;
|
|
uint32 *wrk_line;
|
|
+ tsize_t raster_size;
|
|
int ok = 1;
|
|
|
|
TIFFGetField(in, TIFFTAG_IMAGEWIDTH, &width);
|
|
@@ -151,7 +163,14 @@
|
|
/*
|
|
* Allocate tile buffer
|
|
*/
|
|
- raster = (uint32*)_TIFFmalloc(tile_width * tile_height * sizeof (uint32));
|
|
+ raster_size = multiply(multiply(tile_width, tile_height), sizeof (uint32));
|
|
+ if (!raster_size) {
|
|
+ TIFFError(TIFFFileName(in),
|
|
+ "Can't allocate buffer for raster of size %lux%lu",
|
|
+ (unsigned long) tile_width, (unsigned long) tile_height);
|
|
+ return (0);
|
|
+ }
|
|
+ raster = (uint32*)_TIFFmalloc(raster_size);
|
|
if (raster == 0) {
|
|
TIFFError(TIFFFileName(in), "No space for raster buffer");
|
|
return (0);
|
|
@@ -159,7 +178,7 @@
|
|
|
|
/*
|
|
* Allocate a scanline buffer for swapping during the vertical
|
|
- * mirroring pass.
|
|
+ * mirroring pass. (Request can't overflow given prior checks.)
|
|
*/
|
|
wrk_line = (uint32*)_TIFFmalloc(tile_width * sizeof (uint32));
|
|
if (!wrk_line) {
|
|
@@ -236,6 +255,7 @@
|
|
uint32 width, height; /* image width & height */
|
|
uint32 row;
|
|
uint32 *wrk_line;
|
|
+ tsize_t raster_size;
|
|
int ok = 1;
|
|
|
|
TIFFGetField(in, TIFFTAG_IMAGEWIDTH, &width);
|
|
@@ -251,7 +271,14 @@
|
|
/*
|
|
* Allocate strip buffer
|
|
*/
|
|
- raster = (uint32*)_TIFFmalloc(width * rowsperstrip * sizeof (uint32));
|
|
+ raster_size = multiply(multiply(width, rowsperstrip), sizeof (uint32));
|
|
+ if (!raster_size) {
|
|
+ TIFFError(TIFFFileName(in),
|
|
+ "Can't allocate buffer for raster of size %lux%lu",
|
|
+ (unsigned long) width, (unsigned long) rowsperstrip);
|
|
+ return (0);
|
|
+ }
|
|
+ raster = (uint32*)_TIFFmalloc(raster_size);
|
|
if (raster == 0) {
|
|
TIFFError(TIFFFileName(in), "No space for raster buffer");
|
|
return (0);
|
|
@@ -259,7 +286,7 @@
|
|
|
|
/*
|
|
* Allocate a scanline buffer for swapping during the vertical
|
|
- * mirroring pass.
|
|
+ * mirroring pass. (Request can't overflow given prior checks.)
|
|
*/
|
|
wrk_line = (uint32*)_TIFFmalloc(width * sizeof (uint32));
|
|
if (!wrk_line) {
|