From 5beedebb828f9dcfcd614abc81926025e039c6cd Mon Sep 17 00:00:00 2001
From: Vadim Zeitlin <vadim@wxwidgets.org>
Date: Tue, 2 Jun 2009 13:51:26 +0000
Subject: [PATCH] check for integer overflow which could result in buffer
 overrun when loading an invalid TIFF file

git-svn-id: https://svn.wxwidgets.org/svn/wx/wxWidgets/trunk@60876 c3d73ce0-8a6f-49c7-b76d-6d57e0e08775
---
 src/common/imagtiff.cpp | 16 +++++++++++++---
 1 file changed, 13 insertions(+), 3 deletions(-)

diff --git a/src/common/imagtiff.cpp b/src/common/imagtiff.cpp
index fed6679246..0df1139d8f 100644
--- a/src/common/imagtiff.cpp
+++ b/src/common/imagtiff.cpp
@@ -286,7 +286,6 @@ bool wxTIFFHandler::LoadFile( wxImage *image, wxInputStream& stream, bool verbos
     }
 
     uint32 w, h;
-    uint32 npixels;
     uint32 *raster;
 
     TIFFGetField( tif, TIFFTAG_IMAGEWIDTH, &w );
@@ -300,9 +299,20 @@ bool wxTIFFHandler::LoadFile( wxImage *image, wxInputStream& stream, bool verbos
                            (samplesInfo[0] == EXTRASAMPLE_ASSOCALPHA ||
                             samplesInfo[0] == EXTRASAMPLE_UNASSALPHA));
 
-    npixels = w * h;
+    // guard against integer overflow during multiplication which could result
+    // in allocating a too small buffer and then overflowing it
+    const double bytesNeeded = w * h * sizeof(uint32);
+    if ( bytesNeeded >= wxUINT32_MAX )
+    {
+        if ( verbose )
+            wxLogError( _("TIFF: Image size is abnormally big.") );
+
+        TIFFClose(tif);
+
+        return false;
+    }
 
-    raster = (uint32*) _TIFFmalloc( npixels * sizeof(uint32) );
+    raster = (uint32*) _TIFFmalloc( bytesNeeded );
 
     if (!raster)
     {
-- 
2.45.2