diff options
| author | lukefromdc <[email protected]> | 2019-07-27 15:07:13 -0400 |
|---|---|---|
| committer | raveit65 <[email protected]> | 2019-07-28 09:45:58 +0200 |
| commit | aa8c51c24a3d716986ace9a4104a9632436ccff5 (patch) | |
| tree | cf2d6d38cee723a22d6fc787e7bb0fc5019f5c7c | |
| parent | 8ecc5b244bb073840dfa72eb6982d49526e69e74 (diff) | |
| download | atril-aa8c51c24a3d716986ace9a4104a9632436ccff5.tar.bz2 atril-aa8c51c24a3d716986ace9a4104a9632436ccff5.tar.xz | |
Fix buffer overflow in backend/tiff-document.c
Apply https://gitlab.gnome.org/GNOME/evince/commit/e02fe9170ad0ac2fd46c75329c4f1d4502d4a362
| -rw-r--r-- | backend/tiff/tiff-document.c | 17 |
1 files changed, 10 insertions, 7 deletions
diff --git a/backend/tiff/tiff-document.c b/backend/tiff/tiff-document.c index 0aa31cb6..94adc400 100644 --- a/backend/tiff/tiff-document.c +++ b/backend/tiff/tiff-document.c @@ -268,13 +268,14 @@ tiff_document_render (EvDocument *document, return NULL; } - bytes = height * rowstride; - if (bytes / rowstride != height) { + if (height >= INT_MAX / rowstride) { g_warning("Overflow while rendering document."); /* overflow */ return NULL; } + bytes = height * rowstride; + pixels = g_try_malloc (bytes); if (!pixels) { g_warning("Failed to allocate memory for rendering."); @@ -356,15 +357,17 @@ tiff_document_render_pixbuf (EvDocument *document, if (width <= 0 || height <= 0) return NULL; - rowstride = width * 4; - if (rowstride / 4 != width) + if (width >= INT_MAX / 4) /* overflow */ return NULL; - bytes = height * rowstride; - if (bytes / rowstride != height) + rowstride = width * 4; + + if (height >= INT_MAX / rowstride) /* overflow */ - return NULL; + return NULL; + + bytes = height * rowstride; pixels = g_try_malloc (bytes); if (!pixels) |