From 24ba0a2ef48d7be37f02056d20bb8c625f641939 Mon Sep 17 00:00:00 2001
From: stackexploit <stackexploit@gmail.com>
Date: Mon, 10 Oct 2016 10:58:25 -0700
Subject: libtiff: Prevent a buffer overflow in function
 ChopUpSingleUncompressedStrip.

The patch (https://codereview.chromium.org/2284063002) for Issue 618267
was insufficient. The integer overflow still could be triggered and could
lead to heap buffer overflow.

This CL strengthens integer overflow check in function _TIFFCheckRealloc.

BUG=chromium:654169
R=ochang@chromium.org, tsepez@chromium.org, dsinclair@chromium.org

Review-Url: https://codereview.chromium.org/2405693002
---
 third_party/libtiff/tif_aux.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

(limited to 'third_party/libtiff/tif_aux.c')

diff --git a/third_party/libtiff/tif_aux.c b/third_party/libtiff/tif_aux.c
index 3ce3680ab2..bc4ea01928 100644
--- a/third_party/libtiff/tif_aux.c
+++ b/third_party/libtiff/tif_aux.c
@@ -69,7 +69,7 @@ _TIFFCheckRealloc(TIFF* tif, void* buffer,
 	/*
 	 * XXX: Check for integer overflow.
 	 */
-	if (nmemb && elem_size && !_TIFFIfMultiplicationOverflow(nmemb, elem_size))
+	if (nmemb > 0 && elem_size > 0 && !_TIFFIfMultiplicationOverflow(nmemb, elem_size))
 		cp = _TIFFrealloc(buffer, bytes);
 
 	if (cp == NULL) {
-- 
cgit v1.2.3