Bug 2810 – potential int32 overflow in multiply_ms() function

Bug 2810 - potential int32 overflow in multiply_ms() function

Summary:

potential int32 overflow in multiply_ms() function

Status:	RESOLVED LATER

Product:	libtiff
Component:	default
Version:	4.0.1
Platform:	PC All

Importance:	P2 major
Target Milestone:	---
Assigned To:	Frank Warmerdam

URL:
Whiteboard:
Keywords:	migrated_to_gitlab

Depends on:
Blocks:
	Show dependency tree / graph

Reported:	2018-09-07 07:08 by yangx92@hotmail.com
Modified:	2019-10-01 14:21 (History)

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note

You need to log in before you can comment on or make changes to this bug.

Description From yangx92@hotmail.com 2018-09-07 07:08:41

There is a potential int32 overflow in multiply_ms function in
tools/ppm2tiff.c.

static tmsize_t
multiply_ms(tmsize_t m1, tmsize_t m2)
{
        tmsize_t bytes = m1 * m2;

        if (m1 && bytes / m1 != m2)
                bytes = 0;

        return bytes;
}

Below is the proposal patch for the issue. 


+#define TIFF_SIZE_T_MAX ((size_t) ~ ((size_t)0))
+#define TIFF_TMSIZE_T_MAX (tmsize_t)(TIFF_SIZE_T_MAX >> 1)
+
 static tmsize_t
 multiply_ms(tmsize_t m1, tmsize_t m2)
 {
-       tmsize_t bytes = m1 * m2;
-
-       if (m1 && bytes / m1 != m2)
-               bytes = 0;
-
-       return bytes;
+        if( m1 == 0 || m2 > TIFF_TMSIZE_T_MAX / m1 )
+            return 0;
+        return m1 * m2;
 }

------- Comment #1 From Thomas Bernard 2019-02-13 05:38:58 -------

I don't understand what is the issue...

------- Comment #2 From Even Rouault 2019-10-01 14:21:15 -------

Bugzilla is no longer used for tracking libtiff issues. Remaining open tickets,
such as this one, have been migrated to the libtiff GitLab instance at
https://gitlab.com/libtiff/libtiff/issues .

The migrated tickets have their summary prefixed with [BZ#XXXX] where XXXX is
the initial Bugzilla issue number.