Amebis/wxWidgets
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

check for integer overflow which could result in buffer overrun when loading an invalid TIFF file

Browse Source 
git-svn-id: https://svn.wxwidgets.org/svn/wx/wxWidgets/branches/WX_2_8_BRANCH@60876 c3d73ce0-8a6f-49c7-b76d-6d57e0e08775
This commit is contained in:
Vadim Zeitlin
2009-06-02 13:51:26 +00:00
parent 619643cc37
commit 6555147b11
1 changed files with 13 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

16
src/common/imagtiff.cpp
View File

@@ -261,7 +261,6 @@ bool wxTIFFHandler::LoadFile( wxImage *image, wxInputStream& stream, bool verbos
} }
uint32 w, h; uint32 w, h;
uint32 npixels;
uint32 *raster; uint32 *raster;
TIFFGetField( tif, TIFFTAG_IMAGEWIDTH, &w ); TIFFGetField( tif, TIFFTAG_IMAGEWIDTH, &w );
@@ -275,9 +274,20 @@ bool wxTIFFHandler::LoadFile( wxImage *image, wxInputStream& stream, bool verbos
(samplesInfo[0] == EXTRASAMPLE_ASSOCALPHA || (samplesInfo[0] == EXTRASAMPLE_ASSOCALPHA ||
samplesInfo[0] == EXTRASAMPLE_UNASSALPHA)); samplesInfo[0] == EXTRASAMPLE_UNASSALPHA));
npixels = w * h; // guard against integer overflow during multiplication which could result
// in allocating a too small buffer and then overflowing it
const double bytesNeeded = w * h * sizeof(uint32);
if ( bytesNeeded >= 4294967295U /* UINT32_MAX */ )
{
if ( verbose )
wxLogError( _("TIFF: Image size is abnormally big.") );
raster = (uint32*) _TIFFmalloc( npixels * sizeof(uint32) ); TIFFClose(tif);
return false;
}
raster = (uint32*) _TIFFmalloc( bytesNeeded );
if (!raster) if (!raster)
{ {