Fixed wrong brackets: size*count + pad can overflow before the cast

=> Should fix #76 (most of the work has been done by Robin Mills in 6e3855aed7) The problem with #76 is the contents of the 26th IFD, with the following contents: tag: 0x8649 type: 0x1 count: 0xffff ffff offset: 0x4974 The issue is the size of count (uint32_t), as adding anything to it causes an overflow. Especially the expression: (size*count + pad+20) results in an overflow and gives 20 as a result instead of 0x100000014, thus the condition in the if in the next line is false and the program continues to run (until it crashes at io.read). To properly account for the overflow, the brackets have to be removed, as then the result is saved in the correctly sized type and not cast after being calculated in the smaller type. The brackets have also been removed from bigtiffimage.cpp, where the same issue is present.
8 years ago · 74cb5bab13
parent d8ae4484ae
commit 74cb5bab13
2 changed files with 2 additions and 2 deletions
--- a/src/bigtiffimage.cpp
+++ b/src/bigtiffimage.cpp
@ -227,7 +227,7 @@ namespace Exiv2
                                                  : 1;
                			// #55 memory allocation crash test/data/POC8
-                			long long allocate = (long long) (size*count + pad);
+                			long long allocate = (long long) size*count + pad;
                			if ( allocate > (long long) io.size() ) {
                    			throw Error(57);
                			}
--- a/src/image.cpp
+++ b/src/image.cpp
@ -402,7 +402,7 @@ namespace Exiv2 {
                // if ( offset > io.size() ) offset = 0; // Denial of service?
                // #55 memory allocation crash test/data/POC8
-                long long allocate = (long long) (size*count + pad+20);
+                long long allocate = (long long) size*count + pad+20;
                if ( allocate > (long long) io.size() ) {
                    throw Error(57);
                }