From 1c037cd7aeb3bad78ff0e2eda17b295252984056 Mon Sep 17 00:00:00 2001 From: Tor Andersson Date: Wed, 18 Feb 2015 10:45:34 +0100 Subject: Fix 695831: integer overflow in PNG and TIFF loaders. --- source/fitz/load-png.c | 15 ++++++++++++++- source/fitz/load-tiff.c | 6 ++++++ 2 files changed, 20 insertions(+), 1 deletion(-) (limited to 'source') diff --git a/source/fitz/load-png.c b/source/fitz/load-png.c index 1cca89c0..9c947148 100644 --- a/source/fitz/load-png.c +++ b/source/fitz/load-png.c @@ -274,6 +274,8 @@ png_read_ihdr(fz_context *ctx, struct info *info, unsigned char *p, unsigned int fz_throw(ctx, FZ_ERROR_GENERIC, "unknown filter method"); if (info->interlace != 0 && info->interlace != 1) fz_throw(ctx, FZ_ERROR_GENERIC, "interlace method not supported"); + if (info->height > UINT_MAX / info->width / info->n / (info->depth / 8 + 1)) + fz_throw(ctx, FZ_ERROR_GENERIC, "image dimensions might overflow"); } static void @@ -572,7 +574,18 @@ fz_load_png(fz_context *ctx, unsigned char *p, int total) fz_unpack_tile(ctx, image, png.samples, png.n, png.depth, stride, png.indexed); if (png.indexed) - image = png_expand_palette(ctx, &png, image); + { + fz_try(ctx) + { + image = png_expand_palette(ctx, &png, image); + } + fz_catch(ctx) + { + fz_free(ctx, png.samples); + fz_drop_pixmap(ctx, image); + fz_rethrow(ctx); + } + } else if (png.transparency) png_mask_transparency(&png, image); diff --git a/source/fitz/load-tiff.c b/source/fitz/load-tiff.c index c783784a..054baebe 100644 --- a/source/fitz/load-tiff.c +++ b/source/fitz/load-tiff.c @@ -295,6 +295,9 @@ fz_expand_tiff_colormap(fz_context *ctx, struct tiff *tiff) if (tiff->colormaplen < (unsigned)maxval * 3) fz_throw(ctx, FZ_ERROR_GENERIC, "insufficient colormap data"); + if (tiff->imagelength > UINT_MAX / tiff->imagewidth / (tiff->samplesperpixel + 2)) + fz_throw(ctx, FZ_ERROR_GENERIC, "image dimensions might overflow"); + stride = tiff->imagewidth * (tiff->samplesperpixel + 2); samples = fz_malloc(ctx, stride * tiff->imagelength); @@ -361,6 +364,9 @@ fz_decode_tiff_strips(fz_context *ctx, struct tiff *tiff) if (tiff->planar != 1) fz_throw(ctx, FZ_ERROR_GENERIC, "image data is not in chunky format"); + if (tiff->imagelength > UINT_MAX / tiff->imagewidth / (tiff->samplesperpixel + 2) / (tiff->bitspersample / 8 + 1)) + fz_throw(ctx, FZ_ERROR_GENERIC, "image dimensions might overflow"); + tiff->stride = (tiff->imagewidth * tiff->samplesperpixel * tiff->bitspersample + 7) / 8; switch (tiff->photometric) -- cgit v1.2.3