check for integer overflow which could result in buffer overrun when loading an invalid TIFF file
git-svn-id: https://svn.wxwidgets.org/svn/wx/wxWidgets/branches/WX_2_8_BRANCH@60876 c3d73ce0-8a6f-49c7-b76d-6d57e0e08775
This commit is contained in:
@@ -261,7 +261,6 @@ bool wxTIFFHandler::LoadFile( wxImage *image, wxInputStream& stream, bool verbos
|
||||
}
|
||||
|
||||
uint32 w, h;
|
||||
uint32 npixels;
|
||||
uint32 *raster;
|
||||
|
||||
TIFFGetField( tif, TIFFTAG_IMAGEWIDTH, &w );
|
||||
@@ -275,9 +274,20 @@ bool wxTIFFHandler::LoadFile( wxImage *image, wxInputStream& stream, bool verbos
|
||||
(samplesInfo[0] == EXTRASAMPLE_ASSOCALPHA ||
|
||||
samplesInfo[0] == EXTRASAMPLE_UNASSALPHA));
|
||||
|
||||
npixels = w * h;
|
||||
// guard against integer overflow during multiplication which could result
|
||||
// in allocating a too small buffer and then overflowing it
|
||||
const double bytesNeeded = w * h * sizeof(uint32);
|
||||
if ( bytesNeeded >= 4294967295U /* UINT32_MAX */ )
|
||||
{
|
||||
if ( verbose )
|
||||
wxLogError( _("TIFF: Image size is abnormally big.") );
|
||||
|
||||
raster = (uint32*) _TIFFmalloc( npixels * sizeof(uint32) );
|
||||
TIFFClose(tif);
|
||||
|
||||
return false;
|
||||
}
|
||||
|
||||
raster = (uint32*) _TIFFmalloc( bytesNeeded );
|
||||
|
||||
if (!raster)
|
||||
{
|
||||
|
Reference in New Issue
Block a user