summaryrefslogtreecommitdiffstats
path: root/src/3rdparty/libtiff/libtiff/tif_tile.c
diff options
context:
space:
mode:
authorEirik Aavitsland <eirik.aavitsland@qt.io>2019-10-23 10:00:23 +0200
committerEirik Aavitsland <eirik.aavitsland@qt.io>2019-10-30 11:57:54 +0100
commit2378a4b6228907e8428f613d2e625601550bfe21 (patch)
tree200c784ae2ed85ac18ba977731f1a9fc78451e4b /src/3rdparty/libtiff/libtiff/tif_tile.c
parent2adadf2561e9b475a7f24f782200d5a703e8129a (diff)
Tiff: Include two upstream CVE fixes in bundled libtiff
For issues CVE-2019-17546 and CVE-2019-14973, the following commits were merged into the bundled libtiff: 4bb584a35f87af42d6cf09d15e9ce8909a839145 RGBA interface: fix integer overflow potentially causing write heap buffer overflow, especially on 32 bit builds. Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=16443. Credit to OSS Fuzz 1b5e3b6a23827c33acf19ad50ce5ce78f12b3773 Fix integer overflow in _TIFFCheckMalloc() and other implementation-defined behaviour (CVE-2019-14973) (cherry picked from commit 9fe1f2e918d39031852805f1add23125c061d3c3) Change-Id: Ia98d381bb677fcd167724895515eb3fdecee9709 Reviewed-by: Volker Hilsheimer <volker.hilsheimer@qt.io>
Diffstat (limited to 'src/3rdparty/libtiff/libtiff/tif_tile.c')
-rw-r--r--src/3rdparty/libtiff/libtiff/tif_tile.c27
1 files changed, 3 insertions, 24 deletions
diff --git a/src/3rdparty/libtiff/libtiff/tif_tile.c b/src/3rdparty/libtiff/libtiff/tif_tile.c
index 58fe935..661cc77 100644
--- a/src/3rdparty/libtiff/libtiff/tif_tile.c
+++ b/src/3rdparty/libtiff/libtiff/tif_tile.c
@@ -181,15 +181,8 @@ TIFFTileRowSize(TIFF* tif)
{
static const char module[] = "TIFFTileRowSize";
uint64 m;
- tmsize_t n;
m=TIFFTileRowSize64(tif);
- n=(tmsize_t)m;
- if ((uint64)n!=m)
- {
- TIFFErrorExt(tif->tif_clientdata,module,"Integer overflow");
- n=0;
- }
- return(n);
+ return _TIFFCastUInt64ToSSize(tif, m, module);
}
/*
@@ -248,15 +241,8 @@ TIFFVTileSize(TIFF* tif, uint32 nrows)
{
static const char module[] = "TIFFVTileSize";
uint64 m;
- tmsize_t n;
m=TIFFVTileSize64(tif,nrows);
- n=(tmsize_t)m;
- if ((uint64)n!=m)
- {
- TIFFErrorExt(tif->tif_clientdata,module,"Integer overflow");
- n=0;
- }
- return(n);
+ return _TIFFCastUInt64ToSSize(tif, m, module);
}
/*
@@ -272,15 +258,8 @@ TIFFTileSize(TIFF* tif)
{
static const char module[] = "TIFFTileSize";
uint64 m;
- tmsize_t n;
m=TIFFTileSize64(tif);
- n=(tmsize_t)m;
- if ((uint64)n!=m)
- {
- TIFFErrorExt(tif->tif_clientdata,module,"Integer overflow");
- n=0;
- }
- return(n);
+ return _TIFFCastUInt64ToSSize(tif, m, module);
}
/*
generated by cgit v1.2.3 (git 2.25.1) at 2024-06-18 16:28:17 +0000