|
|
|
|
@ -226,13 +226,24 @@ namespace Exiv2
|
|
|
|
|
: is8ByteType(type) ? 8
|
|
|
|
|
: 1;
|
|
|
|
|
|
|
|
|
|
// #55 memory allocation crash test/data/POC8
|
|
|
|
|
long long allocate = (long long) size*count + pad;
|
|
|
|
|
if ( allocate > (long long) io.size() ) {
|
|
|
|
|
throw Error(57);
|
|
|
|
|
}
|
|
|
|
|
// #55 and #56 memory allocation crash test/data/POC8
|
|
|
|
|
|
|
|
|
|
DataBuf buf((long)allocate);
|
|
|
|
|
// size * count > std::numeric_limits<uint64_t>::max()
|
|
|
|
|
// =>
|
|
|
|
|
// size > std::numeric_limits<uint64_t>::max() / count
|
|
|
|
|
if (size > std::numeric_limits<uint64_t>::max() / count)
|
|
|
|
|
throw Error(57); // we got number bigger than 2^64
|
|
|
|
|
// more than we can handle
|
|
|
|
|
|
|
|
|
|
if (size * count > std::numeric_limits<uint64_t>::max() - pad)
|
|
|
|
|
throw Error(57); // again more than 2^64
|
|
|
|
|
|
|
|
|
|
const uint64_t allocate = size*count + pad;
|
|
|
|
|
if ( allocate > io.size() ) {
|
|
|
|
|
throw Error(57);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
DataBuf buf(allocate);
|
|
|
|
|
|
|
|
|
|
const uint64_t offset = header_.format() == Header::StandardTiff?
|
|
|
|
|
byteSwap4(data, 0, doSwap_):
|
|
|
|
|
|
Michał Walenciak
8 years ago