From aa8c51c24a3d716986ace9a4104a9632436ccff5 Mon Sep 17 00:00:00 2001 From: lukefromdc Date: Sat, 27 Jul 2019 15:07:13 -0400 Subject: [PATCH] Fix buffer overflow in backend/tiff-document.c Apply https://gitlab.gnome.org/GNOME/evince/commit/e02fe9170ad0ac2fd46c75329c4f1d4502d4a362 --- backend/tiff/tiff-document.c | 17 ++++++++++------- 1 file changed, 10 insertions(+), 7 deletions(-) diff --git a/backend/tiff/tiff-document.c b/backend/tiff/tiff-document.c index 0aa31cb6..94adc400 100644 --- a/backend/tiff/tiff-document.c +++ b/backend/tiff/tiff-document.c @@ -268,13 +268,14 @@ tiff_document_render (EvDocument *document, return NULL; } - bytes = height * rowstride; - if (bytes / rowstride != height) { + if (height >= INT_MAX / rowstride) { g_warning("Overflow while rendering document."); /* overflow */ return NULL; } + bytes = height * rowstride; + pixels = g_try_malloc (bytes); if (!pixels) { g_warning("Failed to allocate memory for rendering."); @@ -356,15 +357,17 @@ tiff_document_render_pixbuf (EvDocument *document, if (width <= 0 || height <= 0) return NULL; - rowstride = width * 4; - if (rowstride / 4 != width) + if (width >= INT_MAX / 4) /* overflow */ return NULL; - bytes = height * rowstride; - if (bytes / rowstride != height) + rowstride = width * 4; + + if (height >= INT_MAX / rowstride) /* overflow */ - return NULL; + return NULL; + + bytes = height * rowstride; pixels = g_try_malloc (bytes); if (!pixels)