• Ludovico de Nittis's avatar
    tiff: Check for integer overflows in multiplication · 31a6cff3
    Ludovico de Nittis authored
    The checks currently in use are not sufficient, because they depend on
    undefined behaviour:
    
        rowstride = width * 4;
        if (rowstride / 4 != width) { /* overflow */
    
    If the multiplication has already overflowed, the compiler may decide
    to optimize the if out and thus we do not handle the erroneous case.
    
    Rearrange the checks to avoid the undefined behaviour.
    
    Note that gcc doesn't seem to be impacted, though a defined behaviour is
    obviously preferred.
    
    CVE-2017-2870
    
    https://bugzilla.gnome.org/show_bug.cgi?id=780269
    31a6cff3
io-tiff.c 33.8 KB