[gdk-pixbuf] tiff: Check for integer overflows in multiplication

From: Bastien Nocera <hadess src gnome org>
To: commits-list gnome org
Cc:
Subject: [gdk-pixbuf] tiff: Check for integer overflows in multiplication
Date: Thu, 13 Jul 2017 17:08:46 +0000 (UTC)

commit 31a6cff3dfc6944aad4612a9668b8ad39122e48b
Author: Ludovico de Nittis <aasonykk gmail com>
Date:   Sun Mar 19 16:11:13 2017 +0100

    tiff: Check for integer overflows in multiplication
    
    The checks currently in use are not sufficient, because they depend on
    undefined behaviour:
    
        rowstride = width * 4;
        if (rowstride / 4 != width) { /* overflow */
    
    If the multiplication has already overflowed, the compiler may decide
    to optimize the if out and thus we do not handle the erroneous case.
    
    Rearrange the checks to avoid the undefined behaviour.
    
    Note that gcc doesn't seem to be impacted, though a defined behaviour is
    obviously preferred.
    
    CVE-2017-2870
    
    https://bugzilla.gnome.org/show_bug.cgi?id=780269

 gdk-pixbuf/io-tiff.c |   14 ++++++++------
 1 files changed, 8 insertions(+), 6 deletions(-)
---
diff --git a/gdk-pixbuf/io-tiff.c b/gdk-pixbuf/io-tiff.c
index fb5d550..7d055cf 100644
--- a/gdk-pixbuf/io-tiff.c
+++ b/gdk-pixbuf/io-tiff.c
@@ -124,18 +124,18 @@ tiff_image_parse (TIFF *tiff, TiffContext *context, GError **error)
                                      _("Width or height of TIFF image is zero"));
                 return NULL;                
         }
-        
-        rowstride = width * 4;
-        if (rowstride / 4 != width) { /* overflow */
+
+        if (width > G_MAXINT / 4) { /* overflow */
                 g_set_error_literal (error,
                                      GDK_PIXBUF_ERROR,
                                      GDK_PIXBUF_ERROR_CORRUPT_IMAGE,
                                      _("Dimensions of TIFF image too large"));
                 return NULL;                
         }
-        
-        bytes = height * rowstride;
-        if (bytes / rowstride != height) { /* overflow */
+
+        rowstride = width * 4;
+
+        if (height > G_MAXINT / rowstride) { /* overflow */
                 g_set_error_literal (error,
                                      GDK_PIXBUF_ERROR,
                                      GDK_PIXBUF_ERROR_CORRUPT_IMAGE,
@@ -143,6 +143,8 @@ tiff_image_parse (TIFF *tiff, TiffContext *context, GError **error)
                 return NULL;                
         }
 
+        bytes = height * rowstride;
+
        if (context && context->size_func) {
                 gint w = width;
                 gint h = height;

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]