check for integer overflow which could result in buffer overrun when loading an inval...

author Vadim Zeitlin <vadim@wxwidgets.org>

Tue, 2 Jun 2009 13:51:26 +0000 (13:51 +0000)

committer Vadim Zeitlin <vadim@wxwidgets.org>

Tue, 2 Jun 2009 13:51:26 +0000 (13:51 +0000)
author Vadim Zeitlin <vadim@wxwidgets.org>
Tue, 2 Jun 2009 13:51:26 +0000 (13:51 +0000)
committer Vadim Zeitlin <vadim@wxwidgets.org>
Tue, 2 Jun 2009 13:51:26 +0000 (13:51 +0000)
diff --git a/src/common/imagtiff.cpp b/src/common/imagtiff.cpp

index fed6679246e0c79b02b03c8c8a541b8bfc165f38..0df1139d8f87aaf4bb6549764168edf5da9a982c 100644 (file)
--- a/src/common/imagtiff.cpp
+++ b/src/common/imagtiff.cpp
@@ -286,7 +286,6 @@ bool wxTIFFHandler::LoadFile( wxImage *image, wxInputStream& stream, bool verbos
      }
  
      uint32 w, h;
-    uint32 npixels;
      uint32 *raster;
  
      TIFFGetField( tif, TIFFTAG_IMAGEWIDTH, &w );
@@ -300,9 +299,20 @@ bool wxTIFFHandler::LoadFile( wxImage *image, wxInputStream& stream, bool verbos
                             (samplesInfo[0] == EXTRASAMPLE_ASSOCALPHA ||
                              samplesInfo[0] == EXTRASAMPLE_UNASSALPHA));
  
-    npixels = w * h;
+    // guard against integer overflow during multiplication which could result
+    // in allocating a too small buffer and then overflowing it
+    const double bytesNeeded = w * h * sizeof(uint32);
+    if ( bytesNeeded >= wxUINT32_MAX )
+    {
+        if ( verbose )
+            wxLogError( _("TIFF: Image size is abnormally big.") );
+
+        TIFFClose(tif);
+
+        return false;
+    }
  
-    raster = (uint32*) _TIFFmalloc( npixels * sizeof(uint32) );
+    raster = (uint32*) _TIFFmalloc( bytesNeeded );
  
      if (!raster)
      {
author	Vadim Zeitlin <vadim@wxwidgets.org>
	Tue, 2 Jun 2009 13:51:26 +0000 (13:51 +0000)
committer	Vadim Zeitlin <vadim@wxwidgets.org>
	Tue, 2 Jun 2009 13:51:26 +0000 (13:51 +0000)