dany/libwebp
1
0
Fork 0
mirror of https://github.com/webmproject/libwebp.git synced 2025-07-13 06:24:27 +02:00
Code Issues Actions Packages Projects Releases Wiki Activity

imageio_util: add ImgIoUtilCheckSizeArgumentsOverflow

Browse Source 
and use it to validate decoder allocations. fixes a crash in jpegdec at
least.

BUG=webp:312

Change-Id: Ia940590098f29510add6aad10a8dfe9e9ea46bf4
This commit is contained in:
James Zern
2016-10-07 13:18:29 -07:00
parent 68ae5b671f
commit bc86b7a8a1
6 changed files with 55 additions and 13 deletions
Download Patch File Download Diff File Expand all files Collapse all files

13
imageio/tiffdec.c
View File

@ -22,6 +22,7 @@
#include <tiffio.h>
#include "webp/encode.h"
#include "./imageio_util.h"
#include "./metadata.h"
static const struct {
@ -124,6 +125,7 @@ int ReadTIFF(const uint8_t* const data, size_t data_size,
MySize, MyMapFile, MyUnmapFile);
uint32 width, height;
uint32* raster;
int64_t alloc_size;
int ok = 0;
tdir_t dircount;
@ -144,7 +146,16 @@ int ReadTIFF(const uint8_t* const data, size_t data_size,
fprintf(stderr, "Error! Cannot retrieve TIFF image dimensions.\n");
goto End;
}
raster = (uint32*)_TIFFmalloc(width * height * sizeof(*raster));
if (!ImgIoUtilCheckSizeArgumentsOverflow((uint64_t)width * height,
sizeof(*raster))) {
goto End;
}
// _Tiffmalloc uses a signed type for size.
alloc_size = (int64_t)((uint64_t)width * height * sizeof(*raster));
if (alloc_size < 0 || alloc_size != (tmsize_t)alloc_size) goto End;
raster = (uint32*)_TIFFmalloc((tmsize_t)alloc_size);
if (raster != NULL) {
if (TIFFReadRGBAImageOriented(tif, width, height, raster,
ORIENTATION_TOPLEFT, 1)) {