diff options
author | Robin Watts <robin@peeves.(none)> | 2012-06-11 11:49:31 -0700 |
---|---|---|
committer | Robin Watts <robin.watts@artifex.com> | 2012-06-11 19:55:54 +0100 |
commit | 4fddb35e247a2d81b9b78ca3543b97da9e9fce45 (patch) | |
tree | fe87bc8ab4351a8cb5a9892c83ab63837bb109b5 /fitz/image_tiff.c | |
parent | 120dabdf30be66b5d17f4c59862907bb5d176e27 (diff) | |
download | mupdf-4fddb35e247a2d81b9b78ca3543b97da9e9fce45.tar.xz |
Fix Bug 693102: Overflows in large pixmap indexing.
When we allocate a pixmap > 2G, but < 4G, the index into that
pixmap, when calculated as an int can be negative. Fix this with
various casts to unsigned int.
If we ever move to support >4G images we'll need to rejig the
casting to cast each part of the element to ptrdiff_t first.
Diffstat (limited to 'fitz/image_tiff.c')
-rw-r--r-- | fitz/image_tiff.c | 8 |
1 files changed, 4 insertions, 4 deletions
diff --git a/fitz/image_tiff.c b/fitz/image_tiff.c index de4c0732..f79e8672 100644 --- a/fitz/image_tiff.c +++ b/fitz/image_tiff.c @@ -286,8 +286,8 @@ fz_expand_tiff_colormap(struct tiff *tiff) for (y = 0; y < tiff->imagelength; y++) { - src = tiff->samples + (tiff->stride * y); - dst = samples + (stride * y); + src = tiff->samples + (unsigned int)(tiff->stride * y); + dst = samples + (unsigned int)(stride * y); for (x = 0; x < tiff->imagewidth; x++) { @@ -403,8 +403,8 @@ fz_decode_tiff_strips(struct tiff *tiff) unsigned wlen = tiff->stride * tiff->rowsperstrip; unsigned char *rp = tiff->bp + offset; - if (wp + wlen > tiff->samples + tiff->stride * tiff->imagelength) - wlen = tiff->samples + tiff->stride * tiff->imagelength - wp; + if (wp + wlen > tiff->samples + (unsigned int)(tiff->stride * tiff->imagelength)) + wlen = tiff->samples + (unsigned int)(tiff->stride * tiff->imagelength) - wp; if (rp + rlen > tiff->ep) fz_throw(tiff->ctx, "strip extends beyond the end of the file"); |