1 diff --git a/third_party/libtiff/tif_getimage.c b/third_party/libtiff/tif_getimage.c 2 index 2861cdd1e..5ed1b7a37 100644 3 --- a/third_party/libtiff/tif_getimage.c 4 +++ b/third_party/libtiff/tif_getimage.c 5 @@ -31,6 +31,7 @@ 6 */ 7 #include "tiffiop.h" 8 #include <stdio.h> 9 +#include <limits.h> 10 11 static int gtTileContig(TIFFRGBAImage*, uint32*, uint32, uint32); 12 static int gtTileSeparate(TIFFRGBAImage*, uint32*, uint32, uint32); 13 @@ -612,6 +613,7 @@ gtTileContig(TIFFRGBAImage* img, uint32* raster, uint32 w, uint32 h) 14 uint32 tw, th; 15 unsigned char* buf; 16 int32 fromskew, toskew; 17 + int64 safeskew; 18 uint32 nrow; 19 int ret = 1, flip; 20 uint32 this_tw, tocol; 21 @@ -631,19 +633,37 @@ gtTileContig(TIFFRGBAImage* img, uint32* raster, uint32 w, uint32 h) 22 flip = setorientation(img); 23 if (flip & FLIP_VERTICALLY) { 24 y = h - 1; 25 - toskew = -(int32)(tw + w); 26 + safeskew = 0; 27 + safeskew -= tw; 28 + safeskew -= w; 29 } 30 else { 31 y = 0; 32 - toskew = -(int32)(tw - w); 33 + safeskew = 0; 34 + safeskew -= tw; 35 + safeskew +=w; 36 } 37 + if(safeskew > INT_MAX || safeskew < INT_MIN){ 38 + _TIFFfree(buf); 39 + TIFFErrorExt(tif->tif_clientdata, TIFFFileName(tif), "%s", "Invalid skew"); 40 + return (0); 41 + } 42 + toskew = safeskew; 43 + 44 45 /* 46 * Leftmost tile is clipped on left side if col_offset > 0. 47 */ 48 leftmost_fromskew = img->col_offset % tw; 49 leftmost_tw = tw - leftmost_fromskew; 50 - leftmost_toskew = toskew + leftmost_fromskew; 51 + safeskew = toskew; 52 + safeskew += leftmost_fromskew; 53 + if(safeskew > INT_MAX || safeskew < INT_MIN){ 54 + _TIFFfree(buf); 55 + TIFFErrorExt(tif->tif_clientdata, TIFFFileName(tif), "%s", "Invalid skew"); 56 + return (0); 57 + } 58 + leftmost_toskew = safeskew; 59 for (row = 0; row < h; row += nrow) 60 { 61 rowstoread = th - (row + img->row_offset) % th; 62 @@ -668,9 +688,24 @@ gtTileContig(TIFFRGBAImage* img, uint32* raster, uint32 w, uint32 h) 63 /* 64 * Rightmost tile is clipped on right side. 65 */ 66 - fromskew = tw - (w - tocol); 67 + safeskew = tw; 68 + safeskew -= w; 69 + safeskew += tocol; 70 + if(safeskew > INT_MAX || safeskew < INT_MIN){ 71 + _TIFFfree(buf); 72 + TIFFErrorExt(tif->tif_clientdata, TIFFFileName(tif), "%s", "Invalid skew"); 73 + return (0); 74 + } 75 + fromskew = safeskew; 76 this_tw = tw - fromskew; 77 - this_toskew = toskew + fromskew; 78 + safeskew = toskew; 79 + safeskew += fromskew; 80 + if(safeskew > INT_MAX || safeskew < INT_MIN){ 81 + _TIFFfree(buf); 82 + TIFFErrorExt(tif->tif_clientdata, TIFFFileName(tif), "%s", "Invalid skew"); 83 + return (0); 84 + } 85 + this_toskew = safeskew; 86 } 87 (*put)(img, raster+y*w+tocol, tocol, y, this_tw, nrow, fromskew, this_toskew, buf + pos); 88 tocol += this_tw; 89
