diff options
author | Eirik Aavitsland <eirik.aavitsland@qt.io> | 2019-10-23 10:00:23 +0200 |
---|---|---|
committer | Eirik Aavitsland <eirik.aavitsland@qt.io> | 2019-10-30 11:57:54 +0100 |
commit | 2378a4b6228907e8428f613d2e625601550bfe21 (patch) | |
tree | 200c784ae2ed85ac18ba977731f1a9fc78451e4b /src/3rdparty/libtiff/libtiff/tif_tile.c | |
parent | 2adadf2561e9b475a7f24f782200d5a703e8129a (diff) |
Tiff: Include two upstream CVE fixes in bundled libtiff
For issues CVE-2019-17546 and CVE-2019-14973, the following commits
were merged into the bundled libtiff:
4bb584a35f87af42d6cf09d15e9ce8909a839145 RGBA interface: fix integer
overflow potentially causing write heap buffer overflow, especially on
32 bit builds. Fixes
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=16443. Credit to
OSS Fuzz
1b5e3b6a23827c33acf19ad50ce5ce78f12b3773 Fix integer overflow in
_TIFFCheckMalloc() and other implementation-defined behaviour
(CVE-2019-14973)
(cherry picked from commit 9fe1f2e918d39031852805f1add23125c061d3c3)
Change-Id: Ia98d381bb677fcd167724895515eb3fdecee9709
Reviewed-by: Volker Hilsheimer <volker.hilsheimer@qt.io>
Diffstat (limited to 'src/3rdparty/libtiff/libtiff/tif_tile.c')
-rw-r--r-- | src/3rdparty/libtiff/libtiff/tif_tile.c | 27 |
1 files changed, 3 insertions, 24 deletions
diff --git a/src/3rdparty/libtiff/libtiff/tif_tile.c b/src/3rdparty/libtiff/libtiff/tif_tile.c index 58fe935..661cc77 100644 --- a/src/3rdparty/libtiff/libtiff/tif_tile.c +++ b/src/3rdparty/libtiff/libtiff/tif_tile.c @@ -181,15 +181,8 @@ TIFFTileRowSize(TIFF* tif) { static const char module[] = "TIFFTileRowSize"; uint64 m; - tmsize_t n; m=TIFFTileRowSize64(tif); - n=(tmsize_t)m; - if ((uint64)n!=m) - { - TIFFErrorExt(tif->tif_clientdata,module,"Integer overflow"); - n=0; - } - return(n); + return _TIFFCastUInt64ToSSize(tif, m, module); } /* @@ -248,15 +241,8 @@ TIFFVTileSize(TIFF* tif, uint32 nrows) { static const char module[] = "TIFFVTileSize"; uint64 m; - tmsize_t n; m=TIFFVTileSize64(tif,nrows); - n=(tmsize_t)m; - if ((uint64)n!=m) - { - TIFFErrorExt(tif->tif_clientdata,module,"Integer overflow"); - n=0; - } - return(n); + return _TIFFCastUInt64ToSSize(tif, m, module); } /* @@ -272,15 +258,8 @@ TIFFTileSize(TIFF* tif) { static const char module[] = "TIFFTileSize"; uint64 m; - tmsize_t n; m=TIFFTileSize64(tif); - n=(tmsize_t)m; - if ((uint64)n!=m) - { - TIFFErrorExt(tif->tif_clientdata,module,"Integer overflow"); - n=0; - } - return(n); + return _TIFFCastUInt64ToSSize(tif, m, module); } /* |