From 21533e4deba80290bbc46f1a9e660196f75be45f Mon Sep 17 00:00:00 2001 From: nulano Date: Thu, 2 Jul 2020 16:14:07 +0200 Subject: [PATCH] tiff comparison warnings --- src/libImaging/TiffDecode.c | 21 ++++++++++++++------- 1 file changed, 14 insertions(+), 7 deletions(-) diff --git a/src/libImaging/TiffDecode.c b/src/libImaging/TiffDecode.c index 532db1f68..54f85f7f0 100644 --- a/src/libImaging/TiffDecode.c +++ b/src/libImaging/TiffDecode.c @@ -344,13 +344,20 @@ int ImagingLibTiffDecode(Imaging im, ImagingCodecState state, UINT8* buffer, Py_ } if (TIFFIsTiled(tiff)) { - UINT32 x, y, tile_y, row_byte_size; - UINT32 tile_width, tile_length, current_tile_width; + INT32 x, y, tile_y; + UINT32 tile_width, tile_length, current_tile_width, row_byte_size; UINT8 *new_data; TIFFGetField(tiff, TIFFTAG_TILEWIDTH, &tile_width); TIFFGetField(tiff, TIFFTAG_TILELENGTH, &tile_length); + /* overflow check for row_byte_size calculation */ + if ((UINT32) INT_MAX / state->bits < tile_width) { + state->errcode = IMAGING_CODEC_MEMORY; + TIFFClose(tiff); + return -1; + } + // We could use TIFFTileSize, but for YCbCr data it returns subsampled data size row_byte_size = (tile_width * state->bits + 7) / 8; @@ -394,10 +401,10 @@ int ImagingLibTiffDecode(Imaging im, ImagingCodecState state, UINT8* buffer, Py_ TRACE(("Read tile at %dx%d; \n\n", x, y)); - current_tile_width = min(tile_width, state->xsize - x); + current_tile_width = min((INT32) tile_width, state->xsize - x); // iterate over each line in the tile and stuff data into image - for (tile_y = 0; tile_y < min(tile_length, state->ysize - y); tile_y++) { + for (tile_y = 0; tile_y < min((INT32) tile_length, state->ysize - y); tile_y++) { TRACE(("Writing tile data at %dx%d using tile_width: %d; \n", tile_y + y, x, current_tile_width)); // UINT8 * bbb = state->buffer + tile_y * row_byte_size; @@ -411,9 +418,9 @@ int ImagingLibTiffDecode(Imaging im, ImagingCodecState state, UINT8* buffer, Py_ } } } else { - UINT32 strip_row, row_byte_size; + INT32 strip_row; UINT8 *new_data; - UINT32 rows_per_strip; + UINT32 rows_per_strip, row_byte_size; int ret; ret = TIFFGetField(tiff, TIFFTAG_ROWSPERSTRIP, &rows_per_strip); @@ -468,7 +475,7 @@ int ImagingLibTiffDecode(Imaging im, ImagingCodecState state, UINT8* buffer, Py_ TRACE(("Decoded strip for row %d \n", state->y)); // iterate over each row in the strip and stuff data into image - for (strip_row = 0; strip_row < min(rows_per_strip, state->ysize - state->y); strip_row++) { + for (strip_row = 0; strip_row < min((INT32) rows_per_strip, state->ysize - state->y); strip_row++) { TRACE(("Writing data into line %d ; \n", state->y + strip_row)); // UINT8 * bbb = state->buffer + strip_row * (state->bytes / rows_per_strip);