blob: 913e403129427674e6f6de7f1b484c6484b501b6 (
plain) (
blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
|
From aa8c51c24a3d716986ace9a4104a9632436ccff5 Mon Sep 17 00:00:00 2001
From: lukefromdc <lukefromdc@hushmail.com>
Date: Sat, 27 Jul 2019 15:07:13 -0400
Subject: [PATCH] Fix buffer overflow in backend/tiff-document.c
Apply https://gitlab.gnome.org/GNOME/evince/commit/e02fe9170ad0ac2fd46c75329c4f1d4502d4a362
---
backend/tiff/tiff-document.c | 17 ++++++++++-------
1 file changed, 10 insertions(+), 7 deletions(-)
diff --git a/backend/tiff/tiff-document.c b/backend/tiff/tiff-document.c
index 0aa31cb6..94adc400 100644
--- a/backend/tiff/tiff-document.c
+++ b/backend/tiff/tiff-document.c
@@ -268,13 +268,14 @@ tiff_document_render (EvDocument *document,
return NULL;
}
- bytes = height * rowstride;
- if (bytes / rowstride != height) {
+ if (height >= INT_MAX / rowstride) {
g_warning("Overflow while rendering document.");
/* overflow */
return NULL;
}
+ bytes = height * rowstride;
+
pixels = g_try_malloc (bytes);
if (!pixels) {
g_warning("Failed to allocate memory for rendering.");
@@ -356,15 +357,17 @@ tiff_document_render_pixbuf (EvDocument *document,
if (width <= 0 || height <= 0)
return NULL;
- rowstride = width * 4;
- if (rowstride / 4 != width)
+ if (width >= INT_MAX / 4)
/* overflow */
return NULL;
- bytes = height * rowstride;
- if (bytes / rowstride != height)
+ rowstride = width * 4;
+
+ if (height >= INT_MAX / rowstride)
/* overflow */
- return NULL;
+ return NULL;
+
+ bytes = height * rowstride;
pixels = g_try_malloc (bytes);
if (!pixels)
|