diff options
author | Nicolas Pena <npm@chromium.org> | 2017-01-25 10:41:06 -0500 |
---|---|---|
committer | Chromium commit bot <commit-bot@chromium.org> | 2017-01-25 23:25:22 +0000 |
commit | 4fc34fa8376dd5cd119606ba6e0dd7e08d23ac38 (patch) | |
tree | be0bdf1785d6131285d9f627cea1e1150385438b /third_party/libtiff/tif_getimage.c | |
parent | 03de88464cc818ac4353de3e7ec49b98166bcdc5 (diff) | |
download | pdfium-4fc34fa8376dd5cd119606ba6e0dd7e08d23ac38.tar.xz |
Prevent skew overflows in gtTileContig
Using int64 to check whether uint32 operations have overflowed.
BUG=681300
Change-Id: I4470d34f2e5e61c0bf96f1c8587cdb7805afe87b
Reviewed-on: https://pdfium-review.googlesource.com/2355
Reviewed-by: Tom Sepez <tsepez@chromium.org>
Commit-Queue: Nicolás Peña <npm@chromium.org>
Diffstat (limited to 'third_party/libtiff/tif_getimage.c')
-rw-r--r-- | third_party/libtiff/tif_getimage.c | 45 |
1 files changed, 40 insertions, 5 deletions
diff --git a/third_party/libtiff/tif_getimage.c b/third_party/libtiff/tif_getimage.c index 2861cdd1e2..5ed1b7a370 100644 --- a/third_party/libtiff/tif_getimage.c +++ b/third_party/libtiff/tif_getimage.c @@ -31,6 +31,7 @@ */ #include "tiffiop.h" #include <stdio.h> +#include <limits.h> static int gtTileContig(TIFFRGBAImage*, uint32*, uint32, uint32); static int gtTileSeparate(TIFFRGBAImage*, uint32*, uint32, uint32); @@ -612,6 +613,7 @@ gtTileContig(TIFFRGBAImage* img, uint32* raster, uint32 w, uint32 h) uint32 tw, th; unsigned char* buf; int32 fromskew, toskew; + int64 safeskew; uint32 nrow; int ret = 1, flip; uint32 this_tw, tocol; @@ -631,19 +633,37 @@ gtTileContig(TIFFRGBAImage* img, uint32* raster, uint32 w, uint32 h) flip = setorientation(img); if (flip & FLIP_VERTICALLY) { y = h - 1; - toskew = -(int32)(tw + w); + safeskew = 0; + safeskew -= tw; + safeskew -= w; } else { y = 0; - toskew = -(int32)(tw - w); + safeskew = 0; + safeskew -= tw; + safeskew +=w; } + if(safeskew > INT_MAX || safeskew < INT_MIN){ + _TIFFfree(buf); + TIFFErrorExt(tif->tif_clientdata, TIFFFileName(tif), "%s", "Invalid skew"); + return (0); + } + toskew = safeskew; + /* * Leftmost tile is clipped on left side if col_offset > 0. */ leftmost_fromskew = img->col_offset % tw; leftmost_tw = tw - leftmost_fromskew; - leftmost_toskew = toskew + leftmost_fromskew; + safeskew = toskew; + safeskew += leftmost_fromskew; + if(safeskew > INT_MAX || safeskew < INT_MIN){ + _TIFFfree(buf); + TIFFErrorExt(tif->tif_clientdata, TIFFFileName(tif), "%s", "Invalid skew"); + return (0); + } + leftmost_toskew = safeskew; for (row = 0; row < h; row += nrow) { rowstoread = th - (row + img->row_offset) % th; @@ -668,9 +688,24 @@ gtTileContig(TIFFRGBAImage* img, uint32* raster, uint32 w, uint32 h) /* * Rightmost tile is clipped on right side. */ - fromskew = tw - (w - tocol); + safeskew = tw; + safeskew -= w; + safeskew += tocol; + if(safeskew > INT_MAX || safeskew < INT_MIN){ + _TIFFfree(buf); + TIFFErrorExt(tif->tif_clientdata, TIFFFileName(tif), "%s", "Invalid skew"); + return (0); + } + fromskew = safeskew; this_tw = tw - fromskew; - this_toskew = toskew + fromskew; + safeskew = toskew; + safeskew += fromskew; + if(safeskew > INT_MAX || safeskew < INT_MIN){ + _TIFFfree(buf); + TIFFErrorExt(tif->tif_clientdata, TIFFFileName(tif), "%s", "Invalid skew"); + return (0); + } + this_toskew = safeskew; } (*put)(img, raster+y*w+tocol, tocol, y, this_tw, nrow, fromskew, this_toskew, buf + pos); tocol += this_tw; |