Merge pull request #79 from D4N/fix_76

Fixed wrong brackets: size*count + pad can overflow before the cast
8 years ago · 272fc46502
parent d8ae4484ae 74cb5bab13
commit 272fc46502
2 changed files with 2 additions and 2 deletions
--- a/src/bigtiffimage.cpp
+++ b/src/bigtiffimage.cpp
@ -227,7 +227,7 @@ namespace Exiv2
                                                  : 1;

                			// #55 memory allocation crash test/data/POC8
-                			long long allocate = (long long) (size*count + pad);
+                			long long allocate = (long long) size*count + pad;
                			if ( allocate > (long long) io.size() ) {
                    			throw Error(57);
                			}
--- a/src/image.cpp
+++ b/src/image.cpp
@ -402,7 +402,7 @@ namespace Exiv2 {
                // if ( offset > io.size() ) offset = 0; // Denial of service?

                // #55 memory allocation crash test/data/POC8
-                long long allocate = (long long) (size*count + pad+20);
+                long long allocate = (long long) size*count + pad+20;
                if ( allocate > (long long) io.size() ) {
                    throw Error(57);
                }