summaryrefslogtreecommitdiff
path: root/third_party/libtiff/0017-safe_skews_in_gtTileContig.patch
blob: 10c5077392d4f2fccb11b7a6125d6ae18130719e (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
diff --git a/third_party/libtiff/tif_getimage.c b/third_party/libtiff/tif_getimage.c
index 2861cdd1e..5ed1b7a37 100644
--- a/third_party/libtiff/tif_getimage.c
+++ b/third_party/libtiff/tif_getimage.c
@@ -31,6 +31,7 @@
  */
 #include "tiffiop.h"
 #include <stdio.h>
+#include <limits.h>
 
 static int gtTileContig(TIFFRGBAImage*, uint32*, uint32, uint32);
 static int gtTileSeparate(TIFFRGBAImage*, uint32*, uint32, uint32);
@@ -612,6 +613,7 @@ gtTileContig(TIFFRGBAImage* img, uint32* raster, uint32 w, uint32 h)
     uint32 tw, th;
     unsigned char* buf;
     int32 fromskew, toskew;
+    int64 safeskew;
     uint32 nrow;
     int ret = 1, flip;
     uint32 this_tw, tocol;
@@ -631,19 +633,37 @@ gtTileContig(TIFFRGBAImage* img, uint32* raster, uint32 w, uint32 h)
     flip = setorientation(img);
     if (flip & FLIP_VERTICALLY) {
            y = h - 1;
-           toskew = -(int32)(tw + w);
+           safeskew = 0;
+           safeskew -= tw;
+           safeskew -= w;
     }
     else {
            y = 0;
-           toskew = -(int32)(tw - w);
+           safeskew = 0;
+           safeskew -= tw;
+           safeskew +=w;
     }
+    if(safeskew > INT_MAX || safeskew < INT_MIN){
+       _TIFFfree(buf);
+       TIFFErrorExt(tif->tif_clientdata, TIFFFileName(tif), "%s", "Invalid skew");
+       return (0);
+    }
+    toskew = safeskew;
+
      
     /*
      * Leftmost tile is clipped on left side if col_offset > 0.
      */
     leftmost_fromskew = img->col_offset % tw;
     leftmost_tw = tw - leftmost_fromskew;
-    leftmost_toskew = toskew + leftmost_fromskew;
+    safeskew = toskew;
+    safeskew += leftmost_fromskew;
+    if(safeskew > INT_MAX || safeskew < INT_MIN){
+       _TIFFfree(buf);
+       TIFFErrorExt(tif->tif_clientdata, TIFFFileName(tif), "%s", "Invalid skew");
+       return (0);
+    }
+    leftmost_toskew = safeskew;
     for (row = 0; row < h; row += nrow)
     {
         rowstoread = th - (row + img->row_offset) % th;
@@ -668,9 +688,24 @@ gtTileContig(TIFFRGBAImage* img, uint32* raster, uint32 w, uint32 h)
                /*
                 * Rightmost tile is clipped on right side.
                 */
-               fromskew = tw - (w - tocol);
+               safeskew = tw;
+               safeskew -= w;
+               safeskew += tocol;
+               if(safeskew > INT_MAX || safeskew < INT_MIN){
+                       _TIFFfree(buf);
+                       TIFFErrorExt(tif->tif_clientdata, TIFFFileName(tif), "%s", "Invalid skew");
+                       return (0);
+               }
+               fromskew = safeskew;
                this_tw = tw - fromskew;
-               this_toskew = toskew + fromskew;
+               safeskew = toskew;
+               safeskew += fromskew;
+               if(safeskew > INT_MAX || safeskew < INT_MIN){
+                       _TIFFfree(buf);
+                       TIFFErrorExt(tif->tif_clientdata, TIFFFileName(tif), "%s", "Invalid skew");
+                       return (0);
+               }
+               this_toskew = safeskew;
            }
            (*put)(img, raster+y*w+tocol, tocol, y, this_tw, nrow, fromskew, this_toskew, buf + pos);
            tocol += this_tw;