diff options
| author | stackexploit <stackexploit@gmail.com> | 2016-10-10 10:58:25 -0700 |
|---|---|---|
| committer | Commit bot <commit-bot@chromium.org> | 2016-10-10 10:58:25 -0700 |
| commit | 24ba0a2ef48d7be37f02056d20bb8c625f641939 (patch) | |
| tree | 903bb9dd7c91743057d8b2ead4a1ba7196ca0e02 /third_party/libtiff/tif_aux.c | |
| parent | 3a0a808ff546b5633a2384f4ed156b7ced605c90 (diff) | |
| download | pdfium-24ba0a2ef48d7be37f02056d20bb8c625f641939.tar.xz | |
libtiff: Prevent a buffer overflow in function ChopUpSingleUncompressedStrip.
The patch (https://codereview.chromium.org/2284063002) for Issue 618267
was insufficient. The integer overflow still could be triggered and could
lead to heap buffer overflow.
This CL strengthens integer overflow check in function _TIFFCheckRealloc.
BUG=chromium:654169
R=ochang@chromium.org, tsepez@chromium.org, dsinclair@chromium.org
Review-Url: https://codereview.chromium.org/2405693002
Diffstat (limited to 'third_party/libtiff/tif_aux.c')
| -rw-r--r-- | third_party/libtiff/tif_aux.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/third_party/libtiff/tif_aux.c b/third_party/libtiff/tif_aux.c index 3ce3680ab2..bc4ea01928 100644 --- a/third_party/libtiff/tif_aux.c +++ b/third_party/libtiff/tif_aux.c @@ -69,7 +69,7 @@ _TIFFCheckRealloc(TIFF* tif, void* buffer, /* * XXX: Check for integer overflow. */ - if (nmemb && elem_size && !_TIFFIfMultiplicationOverflow(nmemb, elem_size)) + if (nmemb > 0 && elem_size > 0 && !_TIFFIfMultiplicationOverflow(nmemb, elem_size)) cp = _TIFFrealloc(buffer, bytes); if (cp == NULL) { |