xymp
/
exiv2
3
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Merge pull request #79 from D4N/fix_76

Browse Source 
Fixed wrong brackets: size*count + pad can overflow before the cast
v0.27.3
Robin Mills 8 years ago committed by GitHub
parent d8ae4484ae 74cb5bab13
commit 272fc46502
2 changed files with 2 additions and 2 deletions
Show Stats Download Patch File Download Diff File

2
src/bigtiffimage.cpp
Unescape Escape View File

@ -227,7 +227,7 @@ namespace Exiv2
: 1; : 1;
// #55 memory allocation crash test/data/POC8 // #55 memory allocation crash test/data/POC8
long long allocate = (long long) (size*count + pad); long long allocate = (long long) size*count + pad;
if ( allocate > (long long) io.size() ) { if ( allocate > (long long) io.size() ) {
throw Error(57); throw Error(57);
} }

2
src/image.cpp
Unescape Escape View File

@ -402,7 +402,7 @@ namespace Exiv2 {
// if ( offset > io.size() ) offset = 0; // Denial of service? // if ( offset > io.size() ) offset = 0; // Denial of service?
// #55 memory allocation crash test/data/POC8 // #55 memory allocation crash test/data/POC8
long long allocate = (long long) (size*count + pad+20); long long allocate = (long long) size*count + pad+20;
if ( allocate > (long long) io.size() ) { if ( allocate > (long long) io.size() ) {
throw Error(57); throw Error(57);
} }

Write Preview
Loading…
Cancel
Save