tiff: fix CVE-2019-14973

CVE reference: https://nvd.nist.gov/vuln/detail/CVE-2019-14973 Upstream merge: https://gitlab.com/libtiff/libtiff/commit/2218055c (From OE-Core rev: cf26271c34fcbd76f90831955040020c3ee91b6b) Signed-off-by: Trevor Gamblin <trevor.gamblin@windriver.com> Signed-off-by: Ross Burton <ross.burton@intel.com> [fixup for Warrior context] Signed-off-by: Armin Kuster <akuster808@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Trevor Gamblin <trevor.gamblin@windriver.com> 2019-09-20 14:25:11 -0400
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2019-11-18 14:42:12 +0000
commit: ee860651e9eefcc7f210c8f6147b118881be740f (patch)
tree: 6cbdada845aeabfd6a6e8f84a6461befe1943bdd /meta/recipes-multimedia/libtiff/tiff
parent: bacc8e1617d5ec87f28d401cab4701f4bcd2bb12 (diff)
download: poky-ee860651e9eefcc7f210c8f6147b118881be740f.tar.gz
1 files changed, 415 insertions, 0 deletions
diff --git a/meta/recipes-multimedia/libtiff/tiff/CVE-2019-14973.patch b/meta/recipes-multimedia/libtiff/tiff/CVE-2019-14973.patch
new file mode 100644
index 0000000000..8345295d07
--- /dev/null
+++ b/meta/recipes-multimedia/libtiff/tiff/CVE-2019-14973.patch
@@ -0,0 +1,415 @@
+From 95ac1e3fcc6b643b5bd100f2ea54faca0a003315 Mon Sep 17 00:00:00 2001
+From: Trevor Gamblin <trevor.gamblin@windriver.com>
+Date: Fri, 20 Sep 2019 09:33:22 -0400
+Subject: [PATCH] libtiff-fix-CVE-2019-14973
+Upstream-Status: Backport [https://gitlab.com/libtiff/libtiff/commit/2218055ca67d84be596a13080e8f50f22116555c]
+CVE: CVE-2019-14973
+Signed-off-by: Trevor Gamblin <trevor.gamblin@windriver.com>
+---
+ libtiff/tif_aux.c      | 49 +++++++++++++++++++++++++++++++++++++-----
+ libtiff/tif_getimage.c |  6 ++----
+ libtiff/tif_luv.c      |  8 +------
+ libtiff/tif_pixarlog.c |  7 +-----
+ libtiff/tif_read.c     | 38 +++++++++-----------------------
+ libtiff/tif_strip.c    | 35 ++++--------------------------
+ libtiff/tif_tile.c     | 27 +++--------------------
+ libtiff/tiffiop.h      |  7 +++++-
+ 8 files changed, 71 insertions(+), 106 deletions(-)
+diff --git a/libtiff/tif_aux.c b/libtiff/tif_aux.c
+index 4ece162f..33fb8a44 100644
+--- a/libtiff/tif_aux.c
+++ b/libtiff/tif_aux.c
+@@ -57,18 +57,57 @@ _TIFFMultiply64(TIFF* tif, uint64 first, uint64 second, const char* where)
+        return bytes;
+ }
+ 
+tmsize_t
+_TIFFMultiplySSize(TIFF* tif, tmsize_t first, tmsize_t second, const char* where)
+{
+    if( first <= 0 || second <= 0 )
+    {
+        if( tif != NULL && where != NULL )
+        {
+            TIFFErrorExt(tif->tif_clientdata, where,
+                        "Invalid argument to _TIFFMultiplySSize() in %s", where);
+        }
+        return 0;
+    }
+
+    if( first > TIFF_TMSIZE_T_MAX / second )
+    {
+        if( tif != NULL && where != NULL )
+        {
+            TIFFErrorExt(tif->tif_clientdata, where,
+                        "Integer overflow in %s", where);
+        }
+        return 0;
+    }
+    return first * second;
+}
+
+tmsize_t _TIFFCastUInt64ToSSize(TIFF* tif, uint64 val, const char* module)
+{
+    if( val > (uint64)TIFF_TMSIZE_T_MAX )
+    {
+        if( tif != NULL && module != NULL )
+        {
+            TIFFErrorExt(tif->tif_clientdata,module,"Integer overflow");
+        }
+        return 0;
+    }
+    return (tmsize_t)val;
+}
+
+ void*
+ _TIFFCheckRealloc(TIFF* tif, void* buffer,
+                  tmsize_t nmemb, tmsize_t elem_size, const char* what)
+ {
+        void* cp = NULL;
+-       tmsize_t bytes = nmemb * elem_size;
+-
+        tmsize_t count = _TIFFMultiplySSize(tif, nmemb, elem_size, NULL);
+        /*
+-        * XXX: Check for integer overflow.
+        * Check for integer overflow.
+         */
+-       if (nmemb && elem_size && bytes / elem_size == nmemb)
+-               cp = _TIFFrealloc(buffer, bytes);
+       if (count != 0)
+       {
+               cp = _TIFFrealloc(buffer, count);
+       }
+ 
+        if (cp == NULL) {
+                TIFFErrorExt(tif->tif_clientdata, tif->tif_name,
+diff --git a/libtiff/tif_getimage.c b/libtiff/tif_getimage.c
+index 6a9d5a7c..2106ca21 100644
+--- a/libtiff/tif_getimage.c
+++ b/libtiff/tif_getimage.c
+@@ -755,9 +755,8 @@ gtTileSeparate(TIFFRGBAImage* img, uint32* raster, uint32 w, uint32 h)
+        uint32 leftmost_tw;
+ 
+        tilesize = TIFFTileSize(tif);  
+-       bufsize = TIFFSafeMultiply(tmsize_t,alpha?4:3,tilesize);
+       bufsize = _TIFFMultiplySSize(tif, alpha?4:3,tilesize, "gtTileSeparate");
+        if (bufsize == 0) {
+-               TIFFErrorExt(tif->tif_clientdata, TIFFFileName(tif), "Integer overflow in %s", "gtTileSeparate");
+                return (0);
+        }
+ 
+@@ -1019,9 +1018,8 @@ gtStripSeparate(TIFFRGBAImage* img, uint32* raster, uint32 w, uint32 h)
+         uint16 colorchannels;
+ 
+        stripsize = TIFFStripSize(tif);  
+-       bufsize = TIFFSafeMultiply(tmsize_t,alpha?4:3,stripsize);
+       bufsize = _TIFFMultiplySSize(tif,alpha?4:3,stripsize, "gtStripSeparate");
+        if (bufsize == 0) {
+-               TIFFErrorExt(tif->tif_clientdata, TIFFFileName(tif), "Integer overflow in %s", "gtStripSeparate");
+                return (0);
+        }
+ 
+diff --git a/libtiff/tif_luv.c b/libtiff/tif_luv.c
+index aa35ea07..46d2dff2 100644
+--- a/libtiff/tif_luv.c
+++ b/libtiff/tif_luv.c
+@@ -1264,16 +1264,10 @@ LogL16GuessDataFmt(TIFFDirectory *td)
+        return (SGILOGDATAFMT_UNKNOWN);
+ }
+ 
+-
+-#define TIFF_SIZE_T_MAX ((size_t) ~ ((size_t)0))
+-#define TIFF_TMSIZE_T_MAX (tmsize_t)(TIFF_SIZE_T_MAX >> 1)
+-
+ static tmsize_t
+ multiply_ms(tmsize_t m1, tmsize_t m2)
+ {
+-        if( m1 == 0 || m2 > TIFF_TMSIZE_T_MAX / m1 )
+-            return 0;
+-        return m1 * m2;
+        return _TIFFMultiplySSize(NULL, m1, m2, NULL);
+ }
+ 
+ static int
+diff --git a/libtiff/tif_pixarlog.c b/libtiff/tif_pixarlog.c
+index 7438d692..b52a3ee4 100644
+--- a/libtiff/tif_pixarlog.c
+++ b/libtiff/tif_pixarlog.c
+@@ -634,15 +634,10 @@ PixarLogGuessDataFmt(TIFFDirectory *td)
+        return guess;
+ }
+ 
+-#define TIFF_SIZE_T_MAX ((size_t) ~ ((size_t)0))
+-#define TIFF_TMSIZE_T_MAX (tmsize_t)(TIFF_SIZE_T_MAX >> 1)
+-
+ static tmsize_t
+ multiply_ms(tmsize_t m1, tmsize_t m2)
+ {
+-        if( m1 == 0 || m2 > TIFF_TMSIZE_T_MAX / m1 )
+-            return 0;
+-        return m1 * m2;
+        return _TIFFMultiplySSize(NULL, m1, m2, NULL);
+ }
+ 
+ static tmsize_t
+diff --git a/libtiff/tif_read.c b/libtiff/tif_read.c
+index e63810cc..8db39d7a 100644
+--- a/libtiff/tif_read.c
+++ b/libtiff/tif_read.c
+@@ -29,9 +29,6 @@
+ #include "tiffiop.h"
+ #include <stdio.h>
+ 
+-#define TIFF_SIZE_T_MAX ((size_t) ~ ((size_t)0))
+-#define TIFF_TMSIZE_T_MAX (tmsize_t)(TIFF_SIZE_T_MAX >> 1)
+-
+ int TIFFFillStrip(TIFF* tif, uint32 strip);
+ int TIFFFillTile(TIFF* tif, uint32 tile);
+ static int TIFFStartStrip(TIFF* tif, uint32 strip);
+@@ -49,6 +46,8 @@ TIFFReadRawTile1(TIFF* tif, uint32 tile, void* buf, tmsize_t size, const char* m
+ #define THRESHOLD_MULTIPLIER 10
+ #define MAX_THRESHOLD (THRESHOLD_MULTIPLIER * THRESHOLD_MULTIPLIER * THRESHOLD_MULTIPLIER * INITIAL_THRESHOLD)
+ 
+#define TIFF_INT64_MAX ((((int64)0x7FFFFFFF) << 32) | 0xFFFFFFFF)
+
+ /* Read 'size' bytes in tif_rawdata buffer starting at offset 'rawdata_offset'
+  * Returns 1 in case of success, 0 otherwise. */
+ static int TIFFReadAndRealloc( TIFF* tif, tmsize_t size,
+@@ -734,23 +733,8 @@ TIFFReadRawStrip(TIFF* tif, uint32 strip, void* buf, tmsize_t size)
+                return ((tmsize_t)(-1));
+        }
+        bytecount = td->td_stripbytecount[strip];
+-       if ((int64)bytecount <= 0) {
+-#if defined(__WIN32__) && (defined(_MSC_VER) || defined(__MINGW32__))
+-               TIFFErrorExt(tif->tif_clientdata, module,
+-                            "%I64u: Invalid strip byte count, strip %lu",
+-                            (unsigned __int64) bytecount,
+-                            (unsigned long) strip);
+-#else
+-               TIFFErrorExt(tif->tif_clientdata, module,
+-                            "%llu: Invalid strip byte count, strip %lu",
+-                            (unsigned long long) bytecount,
+-                            (unsigned long) strip);
+-#endif
+-               return ((tmsize_t)(-1));
+-       }
+-       bytecountm = (tmsize_t)bytecount;
+-       if ((uint64)bytecountm!=bytecount) {
+-               TIFFErrorExt(tif->tif_clientdata, module, "Integer overflow");
+        bytecountm = _TIFFCastUInt64ToSSize(tif, bytecount, module);
+       if (bytecountm == 0) {
+                return ((tmsize_t)(-1));
+        }
+        if (size != (tmsize_t)(-1) && size < bytecountm)
+@@ -774,7 +758,7 @@ TIFFFillStrip(TIFF* tif, uint32 strip)
+        if ((tif->tif_flags&TIFF_NOREADRAW)==0)
+        {
+                uint64 bytecount = td->td_stripbytecount[strip];
+-               if ((int64)bytecount <= 0) {
+               if( bytecount == 0 || bytecount > (uint64)TIFF_INT64_MAX ) {
+ #if defined(__WIN32__) && (defined(_MSC_VER) || defined(__MINGW32__))
+                        TIFFErrorExt(tif->tif_clientdata, module,
+                                "Invalid strip byte count %I64u, strip %lu",
+@@ -801,7 +785,7 @@ TIFFFillStrip(TIFF* tif, uint32 strip)
+                            (bytecount - 4096) / 10 > (uint64)stripsize  )
+                        {
+                                uint64 newbytecount = (uint64)stripsize * 10 + 4096;
+-                               if( (int64)newbytecount >= 0 )
+                               if( newbytecount == 0 || newbytecount > (uint64)TIFF_INT64_MAX )
+                                {
+ #if defined(__WIN32__) && (defined(_MSC_VER) || defined(__MINGW32__))
+                                        TIFFWarningExt(tif->tif_clientdata, module,
+@@ -1196,10 +1180,8 @@ TIFFReadRawTile(TIFF* tif, uint32 tile, void* buf, tmsize_t size)
+        bytecount64 = td->td_stripbytecount[tile];
+        if (size != (tmsize_t)(-1) && (uint64)size < bytecount64)
+                bytecount64 = (uint64)size;
+-       bytecountm = (tmsize_t)bytecount64;
+-       if ((uint64)bytecountm!=bytecount64)
+-       {
+-               TIFFErrorExt(tif->tif_clientdata,module,"Integer overflow");
+       bytecountm = _TIFFCastUInt64ToSSize(tif, bytecount64, module);
+        if( bytecountm == 0 ) {
+                return ((tmsize_t)(-1));
+        }
+        return (TIFFReadRawTile1(tif, tile, buf, bytecountm, module));
+@@ -1221,7 +1203,7 @@ TIFFFillTile(TIFF* tif, uint32 tile)
+        if ((tif->tif_flags&TIFF_NOREADRAW)==0)
+        {
+                uint64 bytecount = td->td_stripbytecount[tile];
+-               if ((int64)bytecount <= 0) {
+               if( bytecount == 0 || bytecount > (uint64)TIFF_INT64_MAX ) {
+ #if defined(__WIN32__) && (defined(_MSC_VER) || defined(__MINGW32__))
+                        TIFFErrorExt(tif->tif_clientdata, module,
+                                "%I64u: Invalid tile byte count, tile %lu",
+@@ -1248,7 +1230,7 @@ TIFFFillTile(TIFF* tif, uint32 tile)
+                            (bytecount - 4096) / 10 > (uint64)stripsize  )
+                        {
+                                uint64 newbytecount = (uint64)stripsize * 10 + 4096;
+-                               if( (int64)newbytecount >= 0 )
+                               if( newbytecount == 0 || newbytecount > (uint64)TIFF_INT64_MAX )
+                                {
+ #if defined(__WIN32__) && (defined(_MSC_VER) || defined(__MINGW32__))
+                                        TIFFWarningExt(tif->tif_clientdata, module,
+diff --git a/libtiff/tif_strip.c b/libtiff/tif_strip.c
+index 5b76fba5..2366acf0 100644
+--- a/libtiff/tif_strip.c
+++ b/libtiff/tif_strip.c
+@@ -129,15 +129,8 @@ TIFFVStripSize(TIFF* tif, uint32 nrows)
+ {
+        static const char module[] = "TIFFVStripSize";
+        uint64 m;
+-       tmsize_t n;
+        m=TIFFVStripSize64(tif,nrows);
+-       n=(tmsize_t)m;
+-       if ((uint64)n!=m)
+-       {
+-               TIFFErrorExt(tif->tif_clientdata,module,"Integer overflow");
+-               n=0;
+-       }
+-       return(n);
+        return _TIFFCastUInt64ToSSize(tif, m, module);
+ }
+ 
+ /*
+@@ -211,15 +204,8 @@ TIFFStripSize(TIFF* tif)
+ {
+        static const char module[] = "TIFFStripSize";
+        uint64 m;
+-       tmsize_t n;
+        m=TIFFStripSize64(tif);
+-       n=(tmsize_t)m;
+-       if ((uint64)n!=m)
+-       {
+-               TIFFErrorExt(tif->tif_clientdata,module,"Integer overflow");
+-               n=0;
+-       }
+-       return(n);
+       return _TIFFCastUInt64ToSSize(tif, m, module);
+ }
+ 
+ /*
+@@ -330,14 +316,8 @@ TIFFScanlineSize(TIFF* tif)
+ {
+        static const char module[] = "TIFFScanlineSize";
+        uint64 m;
+-       tmsize_t n;
+        m=TIFFScanlineSize64(tif);
+-       n=(tmsize_t)m;
+-       if ((uint64)n!=m) {
+-               TIFFErrorExt(tif->tif_clientdata,module,"Integer arithmetic overflow");
+-               n=0;
+-       }
+-       return(n);
+       return _TIFFCastUInt64ToSSize(tif, m, module);
+ }
+ 
+ /*
+@@ -366,15 +346,8 @@ TIFFRasterScanlineSize(TIFF* tif)
+ {
+        static const char module[] = "TIFFRasterScanlineSize";
+        uint64 m;
+-       tmsize_t n;
+        m=TIFFRasterScanlineSize64(tif);
+-       n=(tmsize_t)m;
+-       if ((uint64)n!=m)
+-       {
+-               TIFFErrorExt(tif->tif_clientdata,module,"Integer arithmetic overflow");
+-               n=0;
+-       }
+-       return(n);
+       return _TIFFCastUInt64ToSSize(tif, m, module);
+ }
+ 
+ /* vim: set ts=8 sts=8 sw=8 noet: */
+diff --git a/libtiff/tif_tile.c b/libtiff/tif_tile.c
+index 58fe9354..661cc771 100644
+--- a/libtiff/tif_tile.c
+++ b/libtiff/tif_tile.c
+@@ -181,15 +181,8 @@ TIFFTileRowSize(TIFF* tif)
+ {
+        static const char module[] = "TIFFTileRowSize";
+        uint64 m;
+-       tmsize_t n;
+        m=TIFFTileRowSize64(tif);
+-       n=(tmsize_t)m;
+-       if ((uint64)n!=m)
+-       {
+-               TIFFErrorExt(tif->tif_clientdata,module,"Integer overflow");
+-               n=0;
+-       }
+-       return(n);
+       return _TIFFCastUInt64ToSSize(tif, m, module);
+ }
+ 
+ /*
+@@ -248,15 +241,8 @@ TIFFVTileSize(TIFF* tif, uint32 nrows)
+ {
+        static const char module[] = "TIFFVTileSize";
+        uint64 m;
+-       tmsize_t n;
+        m=TIFFVTileSize64(tif,nrows);
+-       n=(tmsize_t)m;
+-       if ((uint64)n!=m)
+-       {
+-               TIFFErrorExt(tif->tif_clientdata,module,"Integer overflow");
+-               n=0;
+-       }
+-       return(n);
+       return _TIFFCastUInt64ToSSize(tif, m, module);
+ }
+ 
+ /*
+@@ -272,15 +258,8 @@ TIFFTileSize(TIFF* tif)
+ {
+        static const char module[] = "TIFFTileSize";
+        uint64 m;
+-       tmsize_t n;
+        m=TIFFTileSize64(tif);
+-       n=(tmsize_t)m;
+-       if ((uint64)n!=m)
+-       {
+-               TIFFErrorExt(tif->tif_clientdata,module,"Integer overflow");
+-               n=0;
+-       }
+-       return(n);
+       return _TIFFCastUInt64ToSSize(tif, m, module);
+ }
+ 
+ /*
+diff --git a/libtiff/tiffiop.h b/libtiff/tiffiop.h
+index 186c291f..558484fe 100644
+--- a/libtiff/tiffiop.h
+++ b/libtiff/tiffiop.h
+@@ -77,6 +77,9 @@ extern int snprintf(char* str, size_t size, const char* format, ...);
+ #define        FALSE   0
+ #endif
+ 
+#define TIFF_SIZE_T_MAX ((size_t) ~ ((size_t)0))
+#define TIFF_TMSIZE_T_MAX (tmsize_t)(TIFF_SIZE_T_MAX >> 1)
+
+ typedef struct client_info {
+     struct client_info *next;
+     void *data;
+@@ -258,7 +261,7 @@ struct tiff {
+ #define TIFFhowmany8_64(x) (((x)&0x07)?((uint64)(x)>>3)+1:(uint64)(x)>>3)
+ #define TIFFroundup_64(x, y) (TIFFhowmany_64(x,y)*(y))
+ 
+-/* Safe multiply which returns zero if there is an integer overflow */
+/* Safe multiply which returns zero if there is an *unsigned* integer overflow. This macro is not safe for *signed* integer types */
+ #define TIFFSafeMultiply(t,v,m) ((((t)(m) != (t)0) && (((t)(((v)*(m))/(m))) == (t)(v))) ? (t)((v)*(m)) : (t)0)
+ 
+ #define TIFFmax(A,B) ((A)>(B)?(A):(B))
+@@ -368,6 +371,8 @@ extern TIFFErrorHandlerExt _TIFFerrorHandlerExt;
+ 
+ extern uint32 _TIFFMultiply32(TIFF*, uint32, uint32, const char*);
+ extern uint64 _TIFFMultiply64(TIFF*, uint64, uint64, const char*);
+extern tmsize_t _TIFFMultiplySSize(TIFF*, tmsize_t, tmsize_t, const char*);
+extern tmsize_t _TIFFCastUInt64ToSSize(TIFF*, uint64, const char*);
+ extern void* _TIFFCheckMalloc(TIFF*, tmsize_t, tmsize_t, const char*);
+ extern void* _TIFFCheckRealloc(TIFF*, void*, tmsize_t, tmsize_t, const char*);
+ 
+-- 
+2.17.1
author	Trevor Gamblin <trevor.gamblin@windriver.com>	2019-09-20 14:25:11 -0400
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2019-11-18 14:42:12 +0000
commit	ee860651e9eefcc7f210c8f6147b118881be740f (patch)
tree	6cbdada845aeabfd6a6e8f84a6461befe1943bdd /meta/recipes-multimedia/libtiff/tiff
parent	bacc8e1617d5ec87f28d401cab4701f4bcd2bb12 (diff)
download	poky-ee860651e9eefcc7f210c8f6147b118881be740f.tar.gz

diff --git a/meta/recipes-multimedia/libtiff/tiff/CVE-2019-14973.patch b/meta/recipes-multimedia/libtiff/tiff/CVE-2019-14973.patch new file mode 100644 index 0000000000..8345295d07 --- /dev/null +++ b/meta/recipes-multimedia/libtiff/tiff/CVE-2019-14973.patch
@@ -0,0 +1,415 @@
	1	From 95ac1e3fcc6b643b5bd100f2ea54faca0a003315 Mon Sep 17 00:00:00 2001
	2	From: Trevor Gamblin <trevor.gamblin@windriver.com>
	3	Date: Fri, 20 Sep 2019 09:33:22 -0400
	4	Subject: [PATCH] libtiff-fix-CVE-2019-14973
	5
	6	Upstream-Status: Backport [https://gitlab.com/libtiff/libtiff/commit/2218055ca67d84be596a13080e8f50f22116555c]
	7	CVE: CVE-2019-14973
	8
	9	Signed-off-by: Trevor Gamblin <trevor.gamblin@windriver.com>
	10	---
	11	libtiff/tif_aux.c \| 49 +++++++++++++++++++++++++++++++++++++-----
	12	libtiff/tif_getimage.c \| 6 ++----
	13	libtiff/tif_luv.c \| 8 +------
	14	libtiff/tif_pixarlog.c \| 7 +-----
	15	libtiff/tif_read.c \| 38 +++++++++-----------------------
	16	libtiff/tif_strip.c \| 35 ++++--------------------------
	17	libtiff/tif_tile.c \| 27 +++--------------------
	18	libtiff/tiffiop.h \| 7 +++++-
	19	8 files changed, 71 insertions(+), 106 deletions(-)
	20
	21	diff --git a/libtiff/tif_aux.c b/libtiff/tif_aux.c
	22	index 4ece162f..33fb8a44 100644
	23	--- a/libtiff/tif_aux.c
	24	+++ b/libtiff/tif_aux.c
	25	@@ -57,18 +57,57 @@ _TIFFMultiply64(TIFF* tif, uint64 first, uint64 second, const char* where)
	26	return bytes;
	27	}
	28
	29	+tmsize_t
	30	+_TIFFMultiplySSize(TIFF* tif, tmsize_t first, tmsize_t second, const char* where)
	31	+{
	32	+ if( first <= 0 \|\| second <= 0 )
	33	+ {
	34	+ if( tif != NULL && where != NULL )
	35	+ {
	36	+ TIFFErrorExt(tif->tif_clientdata, where,
	37	+ "Invalid argument to _TIFFMultiplySSize() in %s", where);
	38	+ }
	39	+ return 0;
	40	+ }
	41	+
	42	+ if( first > TIFF_TMSIZE_T_MAX / second )
	43	+ {
	44	+ if( tif != NULL && where != NULL )
	45	+ {
	46	+ TIFFErrorExt(tif->tif_clientdata, where,
	47	+ "Integer overflow in %s", where);
	48	+ }
	49	+ return 0;
	50	+ }
	51	+ return first * second;
	52	+}
	53	+
	54	+tmsize_t _TIFFCastUInt64ToSSize(TIFF* tif, uint64 val, const char* module)
	55	+{
	56	+ if( val > (uint64)TIFF_TMSIZE_T_MAX )
	57	+ {
	58	+ if( tif != NULL && module != NULL )
	59	+ {
	60	+ TIFFErrorExt(tif->tif_clientdata,module,"Integer overflow");
	61	+ }
	62	+ return 0;
	63	+ }
	64	+ return (tmsize_t)val;
	65	+}
	66	+
	67	void*
	68	_TIFFCheckRealloc(TIFF* tif, void* buffer,
	69	tmsize_t nmemb, tmsize_t elem_size, const char* what)
	70	{
	71	void* cp = NULL;
	72	- tmsize_t bytes = nmemb * elem_size;
	73	-
	74	+ tmsize_t count = _TIFFMultiplySSize(tif, nmemb, elem_size, NULL);
	75	/*
	76	- * XXX: Check for integer overflow.
	77	+ * Check for integer overflow.
	78	*/
	79	- if (nmemb && elem_size && bytes / elem_size == nmemb)
	80	- cp = _TIFFrealloc(buffer, bytes);
	81	+ if (count != 0)
	82	+ {
	83	+ cp = _TIFFrealloc(buffer, count);
	84	+ }
	85
	86	if (cp == NULL) {
	87	TIFFErrorExt(tif->tif_clientdata, tif->tif_name,
	88	diff --git a/libtiff/tif_getimage.c b/libtiff/tif_getimage.c
	89	index 6a9d5a7c..2106ca21 100644
	90	--- a/libtiff/tif_getimage.c
	91	+++ b/libtiff/tif_getimage.c
	92	@@ -755,9 +755,8 @@ gtTileSeparate(TIFFRGBAImage* img, uint32* raster, uint32 w, uint32 h)
	93	uint32 leftmost_tw;
	94
	95	tilesize = TIFFTileSize(tif);
	96	- bufsize = TIFFSafeMultiply(tmsize_t,alpha?4:3,tilesize);
	97	+ bufsize = _TIFFMultiplySSize(tif, alpha?4:3,tilesize, "gtTileSeparate");
	98	if (bufsize == 0) {
	99	- TIFFErrorExt(tif->tif_clientdata, TIFFFileName(tif), "Integer overflow in %s", "gtTileSeparate");
	100	return (0);
	101	}
	102
	103	@@ -1019,9 +1018,8 @@ gtStripSeparate(TIFFRGBAImage* img, uint32* raster, uint32 w, uint32 h)
	104	uint16 colorchannels;
	105
	106	stripsize = TIFFStripSize(tif);
	107	- bufsize = TIFFSafeMultiply(tmsize_t,alpha?4:3,stripsize);
	108	+ bufsize = _TIFFMultiplySSize(tif,alpha?4:3,stripsize, "gtStripSeparate");
	109	if (bufsize == 0) {
	110	- TIFFErrorExt(tif->tif_clientdata, TIFFFileName(tif), "Integer overflow in %s", "gtStripSeparate");
	111	return (0);
	112	}
	113
	114	diff --git a/libtiff/tif_luv.c b/libtiff/tif_luv.c
	115	index aa35ea07..46d2dff2 100644
	116	--- a/libtiff/tif_luv.c
	117	+++ b/libtiff/tif_luv.c
	118	@@ -1264,16 +1264,10 @@ LogL16GuessDataFmt(TIFFDirectory *td)
	119	return (SGILOGDATAFMT_UNKNOWN);
	120	}
	121
	122	-
	123	-#define TIFF_SIZE_T_MAX ((size_t) ~ ((size_t)0))
	124	-#define TIFF_TMSIZE_T_MAX (tmsize_t)(TIFF_SIZE_T_MAX >> 1)
	125	-
	126	static tmsize_t
	127	multiply_ms(tmsize_t m1, tmsize_t m2)
	128	{
	129	- if( m1 == 0 \|\| m2 > TIFF_TMSIZE_T_MAX / m1 )
	130	- return 0;
	131	- return m1 * m2;
	132	+ return _TIFFMultiplySSize(NULL, m1, m2, NULL);
	133	}
	134
	135	static int
	136	diff --git a/libtiff/tif_pixarlog.c b/libtiff/tif_pixarlog.c
	137	index 7438d692..b52a3ee4 100644
	138	--- a/libtiff/tif_pixarlog.c
	139	+++ b/libtiff/tif_pixarlog.c
	140	@@ -634,15 +634,10 @@ PixarLogGuessDataFmt(TIFFDirectory *td)
	141	return guess;
	142	}
	143
	144	-#define TIFF_SIZE_T_MAX ((size_t) ~ ((size_t)0))
	145	-#define TIFF_TMSIZE_T_MAX (tmsize_t)(TIFF_SIZE_T_MAX >> 1)
	146	-
	147	static tmsize_t
	148	multiply_ms(tmsize_t m1, tmsize_t m2)
	149	{
	150	- if( m1 == 0 \|\| m2 > TIFF_TMSIZE_T_MAX / m1 )
	151	- return 0;
	152	- return m1 * m2;
	153	+ return _TIFFMultiplySSize(NULL, m1, m2, NULL);
	154	}
	155
	156	static tmsize_t
	157	diff --git a/libtiff/tif_read.c b/libtiff/tif_read.c
	158	index e63810cc..8db39d7a 100644
	159	--- a/libtiff/tif_read.c
	160	+++ b/libtiff/tif_read.c
	161	@@ -29,9 +29,6 @@
	162	#include "tiffiop.h"
	163	#include <stdio.h>
	164
	165	-#define TIFF_SIZE_T_MAX ((size_t) ~ ((size_t)0))
	166	-#define TIFF_TMSIZE_T_MAX (tmsize_t)(TIFF_SIZE_T_MAX >> 1)
	167	-
	168	int TIFFFillStrip(TIFF* tif, uint32 strip);
	169	int TIFFFillTile(TIFF* tif, uint32 tile);
	170	static int TIFFStartStrip(TIFF* tif, uint32 strip);
	171	@@ -49,6 +46,8 @@ TIFFReadRawTile1(TIFF* tif, uint32 tile, void* buf, tmsize_t size, const char* m
	172	#define THRESHOLD_MULTIPLIER 10
	173	#define MAX_THRESHOLD (THRESHOLD_MULTIPLIER * THRESHOLD_MULTIPLIER * THRESHOLD_MULTIPLIER * INITIAL_THRESHOLD)
	174
	175	+#define TIFF_INT64_MAX ((((int64)0x7FFFFFFF) << 32) \| 0xFFFFFFFF)
	176	+
	177	/* Read 'size' bytes in tif_rawdata buffer starting at offset 'rawdata_offset'
	178	* Returns 1 in case of success, 0 otherwise. */
	179	static int TIFFReadAndRealloc( TIFF* tif, tmsize_t size,
	180	@@ -734,23 +733,8 @@ TIFFReadRawStrip(TIFF* tif, uint32 strip, void* buf, tmsize_t size)
	181	return ((tmsize_t)(-1));
	182	}
	183	bytecount = td->td_stripbytecount[strip];
	184	- if ((int64)bytecount <= 0) {
	185	-#if defined(__WIN32__) && (defined(_MSC_VER) \|\| defined(__MINGW32__))
	186	- TIFFErrorExt(tif->tif_clientdata, module,
	187	- "%I64u: Invalid strip byte count, strip %lu",
	188	- (unsigned __int64) bytecount,
	189	- (unsigned long) strip);
	190	-#else
	191	- TIFFErrorExt(tif->tif_clientdata, module,
	192	- "%llu: Invalid strip byte count, strip %lu",
	193	- (unsigned long long) bytecount,
	194	- (unsigned long) strip);
	195	-#endif
	196	- return ((tmsize_t)(-1));
	197	- }
	198	- bytecountm = (tmsize_t)bytecount;
	199	- if ((uint64)bytecountm!=bytecount) {
	200	- TIFFErrorExt(tif->tif_clientdata, module, "Integer overflow");
	201	+ bytecountm = _TIFFCastUInt64ToSSize(tif, bytecount, module);
	202	+ if (bytecountm == 0) {
	203	return ((tmsize_t)(-1));
	204	}
	205	if (size != (tmsize_t)(-1) && size < bytecountm)
	206	@@ -774,7 +758,7 @@ TIFFFillStrip(TIFF* tif, uint32 strip)
	207	if ((tif->tif_flags&TIFF_NOREADRAW)==0)
	208	{
	209	uint64 bytecount = td->td_stripbytecount[strip];
	210	- if ((int64)bytecount <= 0) {
	211	+ if( bytecount == 0 \|\| bytecount > (uint64)TIFF_INT64_MAX ) {
	212	#if defined(__WIN32__) && (defined(_MSC_VER) \|\| defined(__MINGW32__))
	213	TIFFErrorExt(tif->tif_clientdata, module,
	214	"Invalid strip byte count %I64u, strip %lu",
	215	@@ -801,7 +785,7 @@ TIFFFillStrip(TIFF* tif, uint32 strip)
	216	(bytecount - 4096) / 10 > (uint64)stripsize )
	217	{
	218	uint64 newbytecount = (uint64)stripsize * 10 + 4096;
	219	- if( (int64)newbytecount >= 0 )
	220	+ if( newbytecount == 0 \|\| newbytecount > (uint64)TIFF_INT64_MAX )
	221	{
	222	#if defined(__WIN32__) && (defined(_MSC_VER) \|\| defined(__MINGW32__))
	223	TIFFWarningExt(tif->tif_clientdata, module,
	224	@@ -1196,10 +1180,8 @@ TIFFReadRawTile(TIFF* tif, uint32 tile, void* buf, tmsize_t size)
	225	bytecount64 = td->td_stripbytecount[tile];
	226	if (size != (tmsize_t)(-1) && (uint64)size < bytecount64)
	227	bytecount64 = (uint64)size;
	228	- bytecountm = (tmsize_t)bytecount64;
	229	- if ((uint64)bytecountm!=bytecount64)
	230	- {
	231	- TIFFErrorExt(tif->tif_clientdata,module,"Integer overflow");
	232	+ bytecountm = _TIFFCastUInt64ToSSize(tif, bytecount64, module);
	233	+ if( bytecountm == 0 ) {
	234	return ((tmsize_t)(-1));
	235	}
	236	return (TIFFReadRawTile1(tif, tile, buf, bytecountm, module));
	237	@@ -1221,7 +1203,7 @@ TIFFFillTile(TIFF* tif, uint32 tile)
	238	if ((tif->tif_flags&TIFF_NOREADRAW)==0)
	239	{
	240	uint64 bytecount = td->td_stripbytecount[tile];
	241	- if ((int64)bytecount <= 0) {
	242	+ if( bytecount == 0 \|\| bytecount > (uint64)TIFF_INT64_MAX ) {
	243	#if defined(__WIN32__) && (defined(_MSC_VER) \|\| defined(__MINGW32__))
	244	TIFFErrorExt(tif->tif_clientdata, module,
	245	"%I64u: Invalid tile byte count, tile %lu",
	246	@@ -1248,7 +1230,7 @@ TIFFFillTile(TIFF* tif, uint32 tile)
	247	(bytecount - 4096) / 10 > (uint64)stripsize )
	248	{
	249	uint64 newbytecount = (uint64)stripsize * 10 + 4096;
	250	- if( (int64)newbytecount >= 0 )
	251	+ if( newbytecount == 0 \|\| newbytecount > (uint64)TIFF_INT64_MAX )
	252	{
	253	#if defined(__WIN32__) && (defined(_MSC_VER) \|\| defined(__MINGW32__))
	254	TIFFWarningExt(tif->tif_clientdata, module,
	255	diff --git a/libtiff/tif_strip.c b/libtiff/tif_strip.c
	256	index 5b76fba5..2366acf0 100644
	257	--- a/libtiff/tif_strip.c
	258	+++ b/libtiff/tif_strip.c
	259	@@ -129,15 +129,8 @@ TIFFVStripSize(TIFF* tif, uint32 nrows)
	260	{
	261	static const char module[] = "TIFFVStripSize";
	262	uint64 m;
	263	- tmsize_t n;
	264	m=TIFFVStripSize64(tif,nrows);
	265	- n=(tmsize_t)m;
	266	- if ((uint64)n!=m)
	267	- {
	268	- TIFFErrorExt(tif->tif_clientdata,module,"Integer overflow");
	269	- n=0;
	270	- }
	271	- return(n);
	272	+ return _TIFFCastUInt64ToSSize(tif, m, module);
	273	}
	274
	275	/*
	276	@@ -211,15 +204,8 @@ TIFFStripSize(TIFF* tif)
	277	{
	278	static const char module[] = "TIFFStripSize";
	279	uint64 m;
	280	- tmsize_t n;
	281	m=TIFFStripSize64(tif);
	282	- n=(tmsize_t)m;
	283	- if ((uint64)n!=m)
	284	- {
	285	- TIFFErrorExt(tif->tif_clientdata,module,"Integer overflow");
	286	- n=0;
	287	- }
	288	- return(n);
	289	+ return _TIFFCastUInt64ToSSize(tif, m, module);
	290	}
	291
	292	/*
	293	@@ -330,14 +316,8 @@ TIFFScanlineSize(TIFF* tif)
	294	{
	295	static const char module[] = "TIFFScanlineSize";
	296	uint64 m;
	297	- tmsize_t n;
	298	m=TIFFScanlineSize64(tif);
	299	- n=(tmsize_t)m;
	300	- if ((uint64)n!=m) {
	301	- TIFFErrorExt(tif->tif_clientdata,module,"Integer arithmetic overflow");
	302	- n=0;
	303	- }
	304	- return(n);
	305	+ return _TIFFCastUInt64ToSSize(tif, m, module);
	306	}
	307
	308	/*
	309	@@ -366,15 +346,8 @@ TIFFRasterScanlineSize(TIFF* tif)
	310	{
	311	static const char module[] = "TIFFRasterScanlineSize";
	312	uint64 m;
	313	- tmsize_t n;
	314	m=TIFFRasterScanlineSize64(tif);
	315	- n=(tmsize_t)m;
	316	- if ((uint64)n!=m)
	317	- {
	318	- TIFFErrorExt(tif->tif_clientdata,module,"Integer arithmetic overflow");
	319	- n=0;
	320	- }
	321	- return(n);
	322	+ return _TIFFCastUInt64ToSSize(tif, m, module);
	323	}
	324
	325	/* vim: set ts=8 sts=8 sw=8 noet: */
	326	diff --git a/libtiff/tif_tile.c b/libtiff/tif_tile.c
	327	index 58fe9354..661cc771 100644
	328	--- a/libtiff/tif_tile.c
	329	+++ b/libtiff/tif_tile.c
	330	@@ -181,15 +181,8 @@ TIFFTileRowSize(TIFF* tif)
	331	{
	332	static const char module[] = "TIFFTileRowSize";
	333	uint64 m;
	334	- tmsize_t n;
	335	m=TIFFTileRowSize64(tif);
	336	- n=(tmsize_t)m;
	337	- if ((uint64)n!=m)
	338	- {
	339	- TIFFErrorExt(tif->tif_clientdata,module,"Integer overflow");
	340	- n=0;
	341	- }
	342	- return(n);
	343	+ return _TIFFCastUInt64ToSSize(tif, m, module);
	344	}
	345
	346	/*
	347	@@ -248,15 +241,8 @@ TIFFVTileSize(TIFF* tif, uint32 nrows)
	348	{
	349	static const char module[] = "TIFFVTileSize";
	350	uint64 m;
	351	- tmsize_t n;
	352	m=TIFFVTileSize64(tif,nrows);
	353	- n=(tmsize_t)m;
	354	- if ((uint64)n!=m)
	355	- {
	356	- TIFFErrorExt(tif->tif_clientdata,module,"Integer overflow");
	357	- n=0;
	358	- }
	359	- return(n);
	360	+ return _TIFFCastUInt64ToSSize(tif, m, module);
	361	}
	362
	363	/*
	364	@@ -272,15 +258,8 @@ TIFFTileSize(TIFF* tif)
	365	{
	366	static const char module[] = "TIFFTileSize";
	367	uint64 m;
	368	- tmsize_t n;
	369	m=TIFFTileSize64(tif);
	370	- n=(tmsize_t)m;
	371	- if ((uint64)n!=m)
	372	- {
	373	- TIFFErrorExt(tif->tif_clientdata,module,"Integer overflow");
	374	- n=0;
	375	- }
	376	- return(n);
	377	+ return _TIFFCastUInt64ToSSize(tif, m, module);
	378	}
	379
	380	/*
	381	diff --git a/libtiff/tiffiop.h b/libtiff/tiffiop.h
	382	index 186c291f..558484fe 100644
	383	--- a/libtiff/tiffiop.h
	384	+++ b/libtiff/tiffiop.h
	385	@@ -77,6 +77,9 @@ extern int snprintf(char* str, size_t size, const char* format, ...);
	386	#define FALSE 0
	387	#endif
	388
	389	+#define TIFF_SIZE_T_MAX ((size_t) ~ ((size_t)0))
	390	+#define TIFF_TMSIZE_T_MAX (tmsize_t)(TIFF_SIZE_T_MAX >> 1)
	391	+
	392	typedef struct client_info {
	393	struct client_info *next;
	394	void *data;
	395	@@ -258,7 +261,7 @@ struct tiff {
	396	#define TIFFhowmany8_64(x) (((x)&0x07)?((uint64)(x)>>3)+1:(uint64)(x)>>3)
	397	#define TIFFroundup_64(x, y) (TIFFhowmany_64(x,y)*(y))
	398
	399	-/* Safe multiply which returns zero if there is an integer overflow */
	400	+/* Safe multiply which returns zero if there is an unsigned integer overflow. This macro is not safe for signed integer types */
	401	#define TIFFSafeMultiply(t,v,m) ((((t)(m) != (t)0) && (((t)(((v)(m))/(m))) == (t)(v))) ? (t)((v)(m)) : (t)0)
	402
	403	#define TIFFmax(A,B) ((A)>(B)?(A):(B))
	404	@@ -368,6 +371,8 @@ extern TIFFErrorHandlerExt _TIFFerrorHandlerExt;
	405
	406	extern uint32 _TIFFMultiply32(TIFF, uint32, uint32, const char);
	407	extern uint64 _TIFFMultiply64(TIFF, uint64, uint64, const char);
	408	+extern tmsize_t _TIFFMultiplySSize(TIFF, tmsize_t, tmsize_t, const char);
	409	+extern tmsize_t _TIFFCastUInt64ToSSize(TIFF, uint64, const char);
	410	extern void* _TIFFCheckMalloc(TIFF, tmsize_t, tmsize_t, const char);
	411	extern void* _TIFFCheckRealloc(TIFF, void, tmsize_t, tmsize_t, const char*);
	412
	413	--
	414	2.17.1
	415