diff options
author | Eirik Aavitsland <eirik.aavitsland@qt.io> | 2019-10-23 10:00:23 +0200 |
---|---|---|
committer | Eirik Aavitsland <eirik.aavitsland@qt.io> | 2019-10-23 12:30:04 +0200 |
commit | 9fe1f2e918d39031852805f1add23125c061d3c3 (patch) | |
tree | dd2faa67c4a4e08b3dade4c4963709f05aa67a15 /src/3rdparty/libtiff/libtiff/tiffiop.h | |
parent | 606ae7e0197f3bcff442c2df3beb918952d8e822 (diff) |
Tiff: Include two upstream CVE fixes in bundled libtiffv5.13.2
For issues CVE-2019-17546 and CVE-2019-14973, the following commits
were merged into the bundled libtiff:
4bb584a35f87af42d6cf09d15e9ce8909a839145 RGBA interface: fix integer
overflow potentially causing write heap buffer overflow, especially on
32 bit builds. Fixes
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=16443. Credit to
OSS Fuzz
1b5e3b6a23827c33acf19ad50ce5ce78f12b3773 Fix integer overflow in
_TIFFCheckMalloc() and other implementation-defined behaviour
(CVE-2019-14973)
Fixes: QTBUG-79397
Change-Id: I29257e6dbfbd816224d3dbaefdbe8afecd25f288
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
Reviewed-by: Volker Hilsheimer <volker.hilsheimer@qt.io>
Diffstat (limited to 'src/3rdparty/libtiff/libtiff/tiffiop.h')
-rw-r--r-- | src/3rdparty/libtiff/libtiff/tiffiop.h | 7 |
1 files changed, 6 insertions, 1 deletions
diff --git a/src/3rdparty/libtiff/libtiff/tiffiop.h b/src/3rdparty/libtiff/libtiff/tiffiop.h index 186c291..558484f 100644 --- a/src/3rdparty/libtiff/libtiff/tiffiop.h +++ b/src/3rdparty/libtiff/libtiff/tiffiop.h @@ -77,6 +77,9 @@ extern int snprintf(char* str, size_t size, const char* format, ...); #define FALSE 0 #endif +#define TIFF_SIZE_T_MAX ((size_t) ~ ((size_t)0)) +#define TIFF_TMSIZE_T_MAX (tmsize_t)(TIFF_SIZE_T_MAX >> 1) + typedef struct client_info { struct client_info *next; void *data; @@ -258,7 +261,7 @@ struct tiff { #define TIFFhowmany8_64(x) (((x)&0x07)?((uint64)(x)>>3)+1:(uint64)(x)>>3) #define TIFFroundup_64(x, y) (TIFFhowmany_64(x,y)*(y)) -/* Safe multiply which returns zero if there is an integer overflow */ +/* Safe multiply which returns zero if there is an *unsigned* integer overflow. This macro is not safe for *signed* integer types */ #define TIFFSafeMultiply(t,v,m) ((((t)(m) != (t)0) && (((t)(((v)*(m))/(m))) == (t)(v))) ? (t)((v)*(m)) : (t)0) #define TIFFmax(A,B) ((A)>(B)?(A):(B)) @@ -368,6 +371,8 @@ extern TIFFErrorHandlerExt _TIFFerrorHandlerExt; extern uint32 _TIFFMultiply32(TIFF*, uint32, uint32, const char*); extern uint64 _TIFFMultiply64(TIFF*, uint64, uint64, const char*); +extern tmsize_t _TIFFMultiplySSize(TIFF*, tmsize_t, tmsize_t, const char*); +extern tmsize_t _TIFFCastUInt64ToSSize(TIFF*, uint64, const char*); extern void* _TIFFCheckMalloc(TIFF*, tmsize_t, tmsize_t, const char*); extern void* _TIFFCheckRealloc(TIFF*, void*, tmsize_t, tmsize_t, const char*); |