blob: 5413e92dd322a2b075555baf7ad0b17b26cb52ba (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
|
diff --git a/third_party/libtiff/tif_getimage.c b/third_party/libtiff/tif_getimage.c
index 8603ff026..f5a05e55b 100644
--- a/third_party/libtiff/tif_getimage.c
+++ b/third_party/libtiff/tif_getimage.c
@@ -1083,6 +1083,12 @@ static int gtStripContig(TIFFRGBAImage *img, uint32_t *raster, uint32_t w,
int ret = 1, flip;
tmsize_t maxstripsize;
+ if ((tmsize_t)img->row_offset > TIFF_SSIZE_T_MAX ||
+ (size_t)h > (size_t)TIFF_SSIZE_T_MAX)
+ {
+ return (0);
+ }
+
TIFFGetFieldDefaulted(tif, TIFFTAG_YCBCRSUBSAMPLING, &subsamplinghor,
&subsamplingver);
if (subsamplingver == 0)
diff --git a/third_party/libtiff/tiffconf.h b/third_party/libtiff/tiffconf.h
index 4c83b03f1..289f1758f 100644
--- a/third_party/libtiff/tiffconf.h
+++ b/third_party/libtiff/tiffconf.h
@@ -136,10 +136,12 @@
#if defined(ARCH_CPU_64_BITS)
#define TIFF_SSIZE_T int64_t
#define TIFF_SSIZE_FORMAT PRId64
+#define TIFF_SSIZE_T_MAX INT64_MAX
#define SIZEOF_SIZE_T 8
#else
#define TIFF_SSIZE_T int32_t
#define TIFF_SSIZE_FORMAT PRId32
+#define TIFF_SSIZE_T_MAX INT32_MAX
#define SIZEOF_SIZE_T 4
#endif
|
