Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(310)

Issues Search
    My Issues | Starred     Open | Closed | All

Side by Side Diff: third_party/libtiff/tif_aux.c

Issue 2405693002: libtiff: Prevent a buffer overflow in function ChopUpSingleUncompressedStrip. (Closed)
Patch Set: Created 4 years, 2 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch
« no previous file with comments | « third_party/libtiff/README.pdfium ('k') | no next file » | no next file with comments »
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
OLDNEW
1 /* $Id: tif_aux.c,v 1.26 2010-07-01 15:33:28 dron Exp $ */ 1 /* $Id: tif_aux.c,v 1.26 2010-07-01 15:33:28 dron Exp $ */
2 2
3 /* 3 /*
4 * Copyright (c) 1991-1997 Sam Leffler 4 * Copyright (c) 1991-1997 Sam Leffler
5 * Copyright (c) 1991-1997 Silicon Graphics, Inc. 5 * Copyright (c) 1991-1997 Silicon Graphics, Inc.
6 * 6 *
7 * Permission to use, copy, modify, distribute, and sell this software and 7 * Permission to use, copy, modify, distribute, and sell this software and
8 * its documentation for any purpose is hereby granted without fee, provided 8 * its documentation for any purpose is hereby granted without fee, provided
9 * that (i) the above copyright notices and this permission notice appear in 9 * that (i) the above copyright notices and this permission notice appear in
10 * all copies of the software and related documentation, and (ii) the names of 10 * all copies of the software and related documentation, and (ii) the names of
(...skipping 51 matching lines...) Expand 10 before | Expand all | Expand 10 after
62 void* 62 void*
63 _TIFFCheckRealloc(TIFF* tif, void* buffer, 63 _TIFFCheckRealloc(TIFF* tif, void* buffer,
64 tmsize_t nmemb, tmsize_t elem_size, const char* what) 64 tmsize_t nmemb, tmsize_t elem_size, const char* what)
65 { 65 {
66 void* cp = NULL; 66 void* cp = NULL;
67 tmsize_t bytes = nmemb * elem_size; 67 tmsize_t bytes = nmemb * elem_size;
68 68
69 /* 69 /*
70 * XXX: Check for integer overflow. 70 * XXX: Check for integer overflow.
71 */ 71 */
72 » if (nmemb && elem_size && !_TIFFIfMultiplicationOverflow(nmemb, elem_siz e)) 72 » if (nmemb > 0 && elem_size > 0 && !_TIFFIfMultiplicationOverflow(nmemb, elem_size))
hong_zhang 2016/10/17 18:07:38 Hi, may I ask why? I thought tmsize_t is unsigned.
Tom Sepez 2016/10/17 18:20:04 nmemb is tmsize_t. tmsize_t is TIFF_SSIZE_T at h
73 cp = _TIFFrealloc(buffer, bytes); 73 cp = _TIFFrealloc(buffer, bytes);
74 74
75 if (cp == NULL) { 75 if (cp == NULL) {
76 TIFFErrorExt(tif->tif_clientdata, tif->tif_name, 76 TIFFErrorExt(tif->tif_clientdata, tif->tif_name,
77 "Failed to allocate memory for %s " 77 "Failed to allocate memory for %s "
78 "(%ld elements of %ld bytes each)", 78 "(%ld elements of %ld bytes each)",
79 what,(long) nmemb, (long) elem_size); 79 what,(long) nmemb, (long) elem_size);
80 } 80 }
81 81
82 return cp; 82 return cp;
(...skipping 266 matching lines...) Expand 10 before | Expand all | Expand 10 after
349 } 349 }
350 350
351 /* vim: set ts=8 sts=8 sw=8 noet: */ 351 /* vim: set ts=8 sts=8 sw=8 noet: */
352 /* 352 /*
353 * Local Variables: 353 * Local Variables:
354 * mode: c 354 * mode: c
355 * c-basic-offset: 8 355 * c-basic-offset: 8
356 * fill-column: 78 356 * fill-column: 78
357 * End: 357 * End:
358 */ 358 */
OLDNEW
« no previous file with comments | « third_party/libtiff/README.pdfium ('k') | no next file » | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698