Fix 695831: integer overflow in PNG and TIFF loaders.

author: Tor Andersson <tor.andersson@artifex.com> 2015-02-18 10:45:34 +0100
committer: Tor Andersson <tor.andersson@artifex.com> 2015-02-18 11:29:27 +0100
commit: 1c037cd7aeb3bad78ff0e2eda17b295252984056 (patch)
tree: f72665f256efa51338ddd587fc23972374818707 /source/fitz/load-tiff.c
parent: 2be707dc57c97b6647b33ca7349e2558f1f2b96f (diff)
download: mupdf-1c037cd7aeb3bad78ff0e2eda17b295252984056.tar.xz
1 files changed, 6 insertions, 0 deletions
diff --git a/source/fitz/load-tiff.c b/source/fitz/load-tiff.c
index c783784a..054baebe 100644
--- a/source/fitz/load-tiff.c
+++ b/source/fitz/load-tiff.c
@@ -295,6 +295,9 @@ fz_expand_tiff_colormap(fz_context *ctx, struct tiff *tiff)
 	if (tiff->colormaplen < (unsigned)maxval * 3)
 		fz_throw(ctx, FZ_ERROR_GENERIC, "insufficient colormap data");
 
+	if (tiff->imagelength > UINT_MAX / tiff->imagewidth / (tiff->samplesperpixel + 2))
+		fz_throw(ctx, FZ_ERROR_GENERIC, "image dimensions might overflow");
+
 	stride = tiff->imagewidth * (tiff->samplesperpixel + 2);
 
 	samples = fz_malloc(ctx, stride * tiff->imagelength);
@@ -361,6 +364,9 @@ fz_decode_tiff_strips(fz_context *ctx, struct tiff *tiff)
 	if (tiff->planar != 1)
 		fz_throw(ctx, FZ_ERROR_GENERIC, "image data is not in chunky format");
 
+	if (tiff->imagelength > UINT_MAX / tiff->imagewidth / (tiff->samplesperpixel + 2) / (tiff->bitspersample / 8 + 1))
+		fz_throw(ctx, FZ_ERROR_GENERIC, "image dimensions might overflow");
+
 	tiff->stride = (tiff->imagewidth * tiff->samplesperpixel * tiff->bitspersample + 7) / 8;
 
 	switch (tiff->photometric)
author	Tor Andersson <tor.andersson@artifex.com>	2015-02-18 10:45:34 +0100
committer	Tor Andersson <tor.andersson@artifex.com>	2015-02-18 11:29:27 +0100
commit	1c037cd7aeb3bad78ff0e2eda17b295252984056 (patch)
tree	f72665f256efa51338ddd587fc23972374818707 /source/fitz/load-tiff.c
parent	2be707dc57c97b6647b33ca7349e2558f1f2b96f (diff)
download	mupdf-1c037cd7aeb3bad78ff0e2eda17b295252984056.tar.xz