diff options
| author | lukefromdc <[email protected]> | 2019-07-24 01:35:22 -0400 | 
|---|---|---|
| committer | raveit65 <[email protected]> | 2019-07-27 11:43:20 +0200 | 
| commit | 66dc31ec6b9bc20d37678053376ac3811ea6c2c2 (patch) | |
| tree | 5bc06990ed2b803f7d9878a562171bbdff41d9d6 /backend/tiff | |
| parent | dde1493f75f326bc30d526c6ae9eaaec89ae6122 (diff) | |
| download | atril-66dc31ec6b9bc20d37678053376ac3811ea6c2c2.tar.bz2 atril-66dc31ec6b9bc20d37678053376ac3811ea6c2c2.tar.xz | |
Fix buffer overflow in backend/tiff-document.c
Apply https://gitlab.gnome.org/GNOME/evince/commit/e02fe9170ad0ac2fd46c75329c4f1d4502d4a362
Diffstat (limited to 'backend/tiff')
| -rw-r--r-- | backend/tiff/tiff-document.c | 15 | 
1 files changed, 9 insertions, 6 deletions
| diff --git a/backend/tiff/tiff-document.c b/backend/tiff/tiff-document.c index 3d273fee..7e384212 100644 --- a/backend/tiff/tiff-document.c +++ b/backend/tiff/tiff-document.c @@ -268,13 +268,14 @@ tiff_document_render (EvDocument      *document,  		return NULL;  	} -	bytes = height * rowstride; -	if (bytes / rowstride != height) { +	if (height >= INT_MAX / rowstride) {  		g_warning("Overflow while rendering document.");  		/* overflow */  		return NULL;  	} +	bytes = height * rowstride; +  	pixels = g_try_malloc (bytes);  	if (!pixels) {  		g_warning("Failed to allocate memory for rendering."); @@ -356,15 +357,17 @@ tiff_document_render_pixbuf (EvDocument      *document,  	if (width <= 0 || height <= 0)  		return NULL; -	rowstride = width * 4; -	if (rowstride / 4 != width) + +	if (width >= INT_MAX / 4)  		/* overflow */  		return NULL; -	bytes = height * rowstride; -	if (bytes / rowstride != height) +	rowstride = width * 4; + +	if (height >= INT_MAX / rowstride)  		/* overflow */  		return NULL; +	bytes = height * rowstride;  	pixels = g_try_malloc (bytes);  	if (!pixels) | 
