From 64e05c0a7a75cfc9b53140e93d29fec2d8adb901 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Micha=C5=82=20Walenciak?= Date: Wed, 4 Oct 2017 22:46:20 +0200 Subject: [PATCH] improving fixes for #55 and #56 --- src/bigtiffimage.cpp | 23 +++++++++++++++++------ 1 file changed, 17 insertions(+), 6 deletions(-) diff --git a/src/bigtiffimage.cpp b/src/bigtiffimage.cpp index b1dcd27a..ce1efb6c 100644 --- a/src/bigtiffimage.cpp +++ b/src/bigtiffimage.cpp @@ -226,13 +226,24 @@ namespace Exiv2 : is8ByteType(type) ? 8 : 1; - // #55 memory allocation crash test/data/POC8 - long long allocate = (long long) size*count + pad; - if ( allocate > (long long) io.size() ) { - throw Error(57); - } + // #55 and #56 memory allocation crash test/data/POC8 - DataBuf buf((long)allocate); + // size * count > std::numeric_limits::max() + // => + // size > std::numeric_limits::max() / count + if (size > std::numeric_limits::max() / count) + throw Error(57); // we got number bigger than 2^64 + // more than we can handle + + if (size * count > std::numeric_limits::max() - pad) + throw Error(57); // again more than 2^64 + + const uint64_t allocate = size*count + pad; + if ( allocate > io.size() ) { + throw Error(57); + } + + DataBuf buf(allocate); const uint64_t offset = header_.format() == Header::StandardTiff? byteSwap4(data, 0, doSwap_):