https://github.com/libsdl-org/libtiff/commit/db3eeb513ba584c7f5e16f9cf9aa7771f43a06ce
From db3eeb513ba584c7f5e16f9cf9aa7771f43a06ce Mon Sep 17 00:00:00 2001
From: Andrey Kiselev <[EMAIL REDACTED]>
Date: Wed, 7 Jul 2010 14:02:56 +0000
Subject: [PATCH] Avoid integer overflows computing the buffer size for large
directories. As per bug http://bugzilla.maptools.org/show_bug.cgi?id=2218
---
ChangeLog | 6 ++++++
tools/tiffdump.c | 11 ++++++++---
2 files changed, 14 insertions(+), 3 deletions(-)
diff --git a/ChangeLog b/ChangeLog
index d4c0fd63..43ceaf47 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,9 @@
+2010-07-07 Andrey Kiselev <dron@ak4719.spb.edu>
+
+ * tools/tiffdump.c: Avoid integer overflows computing the buffer size
+ for large directories. As per bug
+ http://bugzilla.maptools.org/show_bug.cgi?id=2218
+
2010-07-06 Andrey Kiselev <dron@ak4719.spb.edu>
* tools/tiffset.c: Properly handle TIFFTAG_PAGENUMBER,
diff --git a/tools/tiffdump.c b/tools/tiffdump.c
index 8f9461ce..3be72420 100644
--- a/tools/tiffdump.c
+++ b/tools/tiffdump.c
@@ -1,4 +1,4 @@
-/* $Id: tiffdump.c,v 1.13.2.3 2010-07-02 11:03:25 dron Exp $ */
+/* $Id: tiffdump.c,v 1.13.2.4 2010-07-07 14:02:56 dron Exp $ */
/*
* Copyright (c) 1988-1997 Sam Leffler
@@ -52,6 +52,11 @@
# define O_BINARY 0
#endif
+/* Safe multiply which returns zero if there is an integer overflow */
+#ifndef TIFFSafeMultiply
+# define TIFFSafeMultiply(t,v,m) ((((t)m != (t)0) && (((t)((v*m)/m)) == (t)v)) ? (t)(v*m) : (t)0)
+#endif
+
char* appname;
char* curfile;
int swabflag;
@@ -314,7 +319,7 @@ ReadDirectory(int fd, unsigned ix, off_t off)
printf(">\n");
continue;
}
- space = dp->tdir_count * datawidth[dp->tdir_type];
+ space = TIFFSafeMultiply(int, dp->tdir_count, datawidth[dp->tdir_type]);
if (space <= 0) {
printf(">\n");
Error("Invalid count for tag %u", dp->tdir_tag);
@@ -638,7 +643,7 @@ TIFFFetchData(int fd, TIFFDirEntry* dir, void* cp)
w = (dir->tdir_type < NWIDTHS ? datawidth[dir->tdir_type] : 0);
cc = dir->tdir_count * w;
if (lseek(fd, (off_t)dir->tdir_offset, 0) != (off_t)-1
- && read(fd, cp, cc) != -1) {
+ && read(fd, cp, cc) == cc) {
if (swabflag) {
switch (dir->tdir_type) {
case TIFF_SHORT: