diff options
| author | lukefromdc <[email protected]> | 2019-07-24 01:35:22 -0400 |
|---|---|---|
| committer | raveit65 <[email protected]> | 2019-07-27 11:43:20 +0200 |
| commit | 66dc31ec6b9bc20d37678053376ac3811ea6c2c2 (patch) | |
| tree | 5bc06990ed2b803f7d9878a562171bbdff41d9d6 | |
| parent | dde1493f75f326bc30d526c6ae9eaaec89ae6122 (diff) | |
| download | atril-66dc31ec6b9bc20d37678053376ac3811ea6c2c2.tar.bz2 atril-66dc31ec6b9bc20d37678053376ac3811ea6c2c2.tar.xz | |
Fix buffer overflow in backend/tiff-document.c
Apply https://gitlab.gnome.org/GNOME/evince/commit/e02fe9170ad0ac2fd46c75329c4f1d4502d4a362
| -rw-r--r-- | backend/tiff/tiff-document.c | 15 |
1 files changed, 9 insertions, 6 deletions
diff --git a/backend/tiff/tiff-document.c b/backend/tiff/tiff-document.c index 3d273fee..7e384212 100644 --- a/backend/tiff/tiff-document.c +++ b/backend/tiff/tiff-document.c @@ -268,13 +268,14 @@ tiff_document_render (EvDocument *document, return NULL; } - bytes = height * rowstride; - if (bytes / rowstride != height) { + if (height >= INT_MAX / rowstride) { g_warning("Overflow while rendering document."); /* overflow */ return NULL; } + bytes = height * rowstride; + pixels = g_try_malloc (bytes); if (!pixels) { g_warning("Failed to allocate memory for rendering."); @@ -356,15 +357,17 @@ tiff_document_render_pixbuf (EvDocument *document, if (width <= 0 || height <= 0) return NULL; - rowstride = width * 4; - if (rowstride / 4 != width) + + if (width >= INT_MAX / 4) /* overflow */ return NULL; - bytes = height * rowstride; - if (bytes / rowstride != height) + rowstride = width * 4; + + if (height >= INT_MAX / rowstride) /* overflow */ return NULL; + bytes = height * rowstride; pixels = g_try_malloc (bytes); if (!pixels) |