• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1diff --git a/third_party/libtiff/tif_getimage.c b/third_party/libtiff/tif_getimage.c
2index fc554ccab..fff3f7fde 100644
3--- a/third_party/libtiff/tif_getimage.c
4+++ b/third_party/libtiff/tif_getimage.c
5@@ -31,6 +31,7 @@
6  */
7 #include "tiffiop.h"
8 #include <stdio.h>
9+#include <limits.h>
10
11 static int gtTileContig(TIFFRGBAImage*, uint32*, uint32, uint32);
12 static int gtTileSeparate(TIFFRGBAImage*, uint32*, uint32, uint32);
13@@ -628,6 +629,7 @@ gtTileContig(TIFFRGBAImage* img, uint32* raster, uint32 w, uint32 h)
14     uint32 tw, th;
15     unsigned char* buf = NULL;
16     int32 fromskew, toskew;
17+    int64 safeskew;
18     uint32 nrow;
19     int ret = 1, flip;
20     uint32 this_tw, tocol;
21@@ -648,19 +650,37 @@ gtTileContig(TIFFRGBAImage* img, uint32* raster, uint32 w, uint32 h)
22     flip = setorientation(img);
23     if (flip & FLIP_VERTICALLY) {
24 	    y = h - 1;
25-	    toskew = -(int32)(tw + w);
26+	    safeskew = 0;
27+	    safeskew -= tw;
28+	    safeskew -= w;
29     }
30     else {
31 	    y = 0;
32-	    toskew = -(int32)(tw - w);
33+	    safeskew = 0;
34+	    safeskew -= tw;
35+	    safeskew +=w;
36     }
37
38+    if(safeskew > INT_MAX || safeskew < INT_MIN){
39+       _TIFFfree(buf);
40+       TIFFErrorExt(tif->tif_clientdata, TIFFFileName(tif), "%s", "Invalid skew");
41+       return (0);
42+    }
43+    toskew = safeskew;
44+
45     /*
46      *	Leftmost tile is clipped on left side if col_offset > 0.
47      */
48     leftmost_fromskew = img->col_offset % tw;
49     leftmost_tw = tw - leftmost_fromskew;
50-    leftmost_toskew = toskew + leftmost_fromskew;
51+    safeskew = toskew;
52+    safeskew += leftmost_fromskew;
53+    if(safeskew > INT_MAX || safeskew < INT_MIN){
54+       _TIFFfree(buf);
55+       TIFFErrorExt(tif->tif_clientdata, TIFFFileName(tif), "%s", "Invalid skew");
56+       return (0);
57+    }
58+    leftmost_toskew = safeskew;
59     for (row = 0; ret != 0 && row < h; row += nrow)
60     {
61         rowstoread = th - (row + img->row_offset) % th;
62@@ -686,9 +706,24 @@ gtTileContig(TIFFRGBAImage* img, uint32* raster, uint32 w, uint32 h)
63 		/*
64 		 * Rightmost tile is clipped on right side.
65 		 */
66-		fromskew = tw - (w - tocol);
67+		safeskew = tw;
68+		safeskew -= w;
69+		safeskew += tocol;
70+		if(safeskew > INT_MAX || safeskew < INT_MIN){
71+		        _TIFFfree(buf);
72+		        TIFFErrorExt(tif->tif_clientdata, TIFFFileName(tif), "%s", "Invalid skew");
73+		        return (0);
74+		}
75+		fromskew = safeskew;
76 		this_tw = tw - fromskew;
77-		this_toskew = toskew + fromskew;
78+		safeskew = toskew;
79+		safeskew += fromskew;
80+		if(safeskew > INT_MAX || safeskew < INT_MIN){
81+		        _TIFFfree(buf);
82+		        TIFFErrorExt(tif->tif_clientdata, TIFFFileName(tif), "%s", "Invalid skew");
83+		        return (0);
84+		}
85+		this_toskew = safeskew;
86 	    }
87 	    (*put)(img, raster+y*w+tocol, tocol, y, this_tw, nrow, fromskew, this_toskew, buf + pos);
88 	    tocol += this_tw;
89