From 8988e2f78a0eb7a5cc9743b2fac0e28a20224de9 Mon Sep 17 00:00:00 2001 From: Tor Andersson Date: Tue, 19 Feb 2013 16:42:28 +0100 Subject: Bug 693639: fix integer overflow in image_tiff.c Thanks to zeniko. --- fitz/image_tiff.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/fitz/image_tiff.c b/fitz/image_tiff.c index 5b154c3e..a2b405d9 100644 --- a/fitz/image_tiff.c +++ b/fitz/image_tiff.c @@ -758,8 +758,14 @@ fz_decode_tiff_header(fz_context *ctx, struct tiff *tiff, unsigned char *buf, in tiff->rp = tiff->bp + offset; + if (tiff->rp < tiff->bp || tiff->rp > tiff->ep) + fz_throw(tiff->ctx, "invalid IFD offset %u", offset); + count = readshort(tiff); + if (count * 12 > (unsigned)(tiff->ep - tiff->rp)) + fz_throw(tiff->ctx, "overlarge IFD entry count %u", count); + offset += 2; for (i = 0; i < count; i++) { -- cgit v1.2.3