diff options
| author | Tor Andersson <tor.andersson@artifex.com> | 2013-02-19 16:42:28 +0100 |
|---|---|---|
| committer | Tor Andersson <tor.andersson@artifex.com> | 2013-02-19 18:46:52 +0100 |
| commit | 8988e2f78a0eb7a5cc9743b2fac0e28a20224de9 (patch) | |
| tree | e26da1c8e791b95123662921dd1919fcc3ed1052 /fitz | |
| parent | 3db5d5f56a5ec305f57ba7c2c4b12c1d3292b074 (diff) | |
| download | mupdf-8988e2f78a0eb7a5cc9743b2fac0e28a20224de9.tar.xz | |
Bug 693639: fix integer overflow in image_tiff.c
Thanks to zeniko.
Diffstat (limited to 'fitz')
| -rw-r--r-- | fitz/image_tiff.c | 6 |
1 files changed, 6 insertions, 0 deletions
diff --git a/fitz/image_tiff.c b/fitz/image_tiff.c index 5b154c3e..a2b405d9 100644 --- a/fitz/image_tiff.c +++ b/fitz/image_tiff.c @@ -758,8 +758,14 @@ fz_decode_tiff_header(fz_context *ctx, struct tiff *tiff, unsigned char *buf, in tiff->rp = tiff->bp + offset; + if (tiff->rp < tiff->bp || tiff->rp > tiff->ep) + fz_throw(tiff->ctx, "invalid IFD offset %u", offset); + count = readshort(tiff); + if (count * 12 > (unsigned)(tiff->ep - tiff->rp)) + fz_throw(tiff->ctx, "overlarge IFD entry count %u", count); + offset += 2; for (i = 0; i < count; i++) { |