From 66dc31ec6b9bc20d37678053376ac3811ea6c2c2 Mon Sep 17 00:00:00 2001 From: lukefromdc Date: Wed, 24 Jul 2019 01:35:22 -0400 Subject: Fix buffer overflow in backend/tiff-document.c Apply https://gitlab.gnome.org/GNOME/evince/commit/e02fe9170ad0ac2fd46c75329c4f1d4502d4a362 --- backend/tiff/tiff-document.c | 15 +++++++++------ 1 file changed, 9 insertions(+), 6 deletions(-) (limited to 'backend') diff --git a/backend/tiff/tiff-document.c b/backend/tiff/tiff-document.c index 3d273fee..7e384212 100644 --- a/backend/tiff/tiff-document.c +++ b/backend/tiff/tiff-document.c @@ -268,13 +268,14 @@ tiff_document_render (EvDocument *document, return NULL; } - bytes = height * rowstride; - if (bytes / rowstride != height) { + if (height >= INT_MAX / rowstride) { g_warning("Overflow while rendering document."); /* overflow */ return NULL; } + bytes = height * rowstride; + pixels = g_try_malloc (bytes); if (!pixels) { g_warning("Failed to allocate memory for rendering."); @@ -356,15 +357,17 @@ tiff_document_render_pixbuf (EvDocument *document, if (width <= 0 || height <= 0) return NULL; - rowstride = width * 4; - if (rowstride / 4 != width) + + if (width >= INT_MAX / 4) /* overflow */ return NULL; - bytes = height * rowstride; - if (bytes / rowstride != height) + rowstride = width * 4; + + if (height >= INT_MAX / rowstride) /* overflow */ return NULL; + bytes = height * rowstride; pixels = g_try_malloc (bytes); if (!pixels) -- cgit v1.2.1