Getting colder with our second freeze... it's 3.31.91 release day and string freeze, upload a tarball and lock those strings 🏂

Commit 31a6cff3 authored by Ludovico de Nittis's avatar Ludovico de Nittis Committed by Bastien Nocera

tiff: Check for integer overflows in multiplication

The checks currently in use are not sufficient, because they depend on
undefined behaviour:

    rowstride = width * 4;
    if (rowstride / 4 != width) { /* overflow */

If the multiplication has already overflowed, the compiler may decide
to optimize the if out and thus we do not handle the erroneous case.

Rearrange the checks to avoid the undefined behaviour.

Note that gcc doesn't seem to be impacted, though a defined behaviour is
obviously preferred.

CVE-2017-2870

https://bugzilla.gnome.org/show_bug.cgi?id=780269
parent eb0754b7
......@@ -124,18 +124,18 @@ tiff_image_parse (TIFF *tiff, TiffContext *context, GError **error)
_("Width or height of TIFF image is zero"));
return NULL;
}
rowstride = width * 4;
if (rowstride / 4 != width) { /* overflow */
if (width > G_MAXINT / 4) { /* overflow */
g_set_error_literal (error,
GDK_PIXBUF_ERROR,
GDK_PIXBUF_ERROR_CORRUPT_IMAGE,
_("Dimensions of TIFF image too large"));
return NULL;
}
bytes = height * rowstride;
if (bytes / rowstride != height) { /* overflow */
rowstride = width * 4;
if (height > G_MAXINT / rowstride) { /* overflow */
g_set_error_literal (error,
GDK_PIXBUF_ERROR,
GDK_PIXBUF_ERROR_CORRUPT_IMAGE,
......@@ -143,6 +143,8 @@ tiff_image_parse (TIFF *tiff, TiffContext *context, GError **error)
return NULL;
}
bytes = height * rowstride;
if (context && context->size_func) {
gint w = width;
gint h = height;
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment