1 diff --git a/core/fxcodec/codec/ccodec_tiffmodule.cpp b/core/fxcodec/codec/ccodec_tiffmodule.cpp 2 index 09cfea4..20fda63 100644 3 --- a/core/fxcodec/codec/ccodec_tiffmodule.cpp 4 +++ b/core/fxcodec/codec/ccodec_tiffmodule.cpp 5 @@ -79,6 +79,10 @@ int _TIFFmemcmp(const void* ptr1, const void* ptr2, tmsize_t size) { 6 return memcmp(ptr1, ptr2, (size_t)size); 7 } 8 9 +int _TIFFIfMultiplicationOverflow(tmsize_t op1, tmsize_t op2) { 10 + return op1 > std::numeric_limits<tmsize_t>::max() / op2; 11 +} 12 + 13 TIFFErrorHandler _TIFFwarningHandler = nullptr; 14 TIFFErrorHandler _TIFFerrorHandler = nullptr; 15 16 diff --git a/third_party/libtiff/tif_aux.c b/third_party/libtiff/tif_aux.c 17 index 927150a..3ce3680 100644 18 --- a/third_party/libtiff/tif_aux.c 19 +++ b/third_party/libtiff/tif_aux.c 20 @@ -69,7 +69,7 @@ _TIFFCheckRealloc(TIFF* tif, void* buffer, 21 /* 22 * XXX: Check for integer overflow. 23 */ 24 - if (nmemb && elem_size && bytes / elem_size == nmemb) 25 + if (nmemb && elem_size && !_TIFFIfMultiplicationOverflow(nmemb, elem_size)) 26 cp = _TIFFrealloc(buffer, bytes); 27 28 if (cp == NULL) { 29 diff --git a/third_party/libtiff/tiffio.h b/third_party/libtiff/tiffio.h 30 index 038b670..056aed2 100644 31 --- a/third_party/libtiff/tiffio.h 32 +++ b/third_party/libtiff/tiffio.h 33 @@ -298,6 +298,7 @@ extern void _TIFFmemset(void* p, int v, tmsize_t c); 34 extern void _TIFFmemcpy(void* d, const void* s, tmsize_t c); 35 extern int _TIFFmemcmp(const void* p1, const void* p2, tmsize_t c); 36 extern void _TIFFfree(void* p); 37 +extern int _TIFFIfMultiplicationOverflow(tmsize_t op1, tmsize_t op2); 38 39 /* 40 ** Stuff, related to tag handling and creating custom tags. 41
