From 66dc31ec6b9bc20d37678053376ac3811ea6c2c2 Mon Sep 17 00:00:00 2001
From: lukefromdc <lukefromdc@hushmail.com>
Date: Wed, 24 Jul 2019 01:35:22 -0400
Subject: Fix buffer overflow in backend/tiff-document.c

Apply https://gitlab.gnome.org/GNOME/evince/commit/e02fe9170ad0ac2fd46c75329c4f1d4502d4a362
---
 backend/tiff/tiff-document.c | 15 +++++++++------
 1 file changed, 9 insertions(+), 6 deletions(-)

(limited to 'backend')

diff --git a/backend/tiff/tiff-document.c b/backend/tiff/tiff-document.c
index 3d273fee..7e384212 100644
--- a/backend/tiff/tiff-document.c
+++ b/backend/tiff/tiff-document.c
@@ -268,13 +268,14 @@ tiff_document_render (EvDocument      *document,
 		return NULL;
 	}
 
-	bytes = height * rowstride;
-	if (bytes / rowstride != height) {
+	if (height >= INT_MAX / rowstride) {
 		g_warning("Overflow while rendering document.");
 		/* overflow */
 		return NULL;
 	}
 
+	bytes = height * rowstride;
+
 	pixels = g_try_malloc (bytes);
 	if (!pixels) {
 		g_warning("Failed to allocate memory for rendering.");
@@ -356,15 +357,17 @@ tiff_document_render_pixbuf (EvDocument      *document,
 	if (width <= 0 || height <= 0)
 		return NULL;
 
-	rowstride = width * 4;
-	if (rowstride / 4 != width)
+
+	if (width >= INT_MAX / 4)
 		/* overflow */
 		return NULL;
 
-	bytes = height * rowstride;
-	if (bytes / rowstride != height)
+	rowstride = width * 4;
+
+	if (height >= INT_MAX / rowstride)
 		/* overflow */
 		return NULL;
+	bytes = height * rowstride;
 
 	pixels = g_try_malloc (bytes);
 	if (!pixels)
-- 
cgit v1.2.1