Sophie: libtiff-3.6.1-12.6.20060mdk src

libtiff-3.6.1-12.6.20060mdk.src.rpm

Fixed integer overflow condition in TIFFFetchData() function. As per bug
http://bugzilla.remotesensing.org/show_bug.cgi?id=1102
================================================================================
--- tiff-3.7.3/libtiff/tif_dirread.c
+++ tiff-3.7.3/libtiff/tif_dirread.c
@@ -798,13 +798,20 @@
 	int w = TIFFDataWidth((TIFFDataType) dir->tdir_type);
 	tsize_t cc = dir->tdir_count * w;
 
+	/* Check for overflow. */
+	if (!dir->tdir_count || !w || cc / w != (tsize_t)dir->tdir_count)
+		goto bad;
+
 	if (!isMapped(tif)) {
 		if (!SeekOK(tif, dir->tdir_offset))
 			goto bad;
 		if (!ReadOK(tif, cp, cc))
 			goto bad;
 	} else {
-		if (dir->tdir_offset + cc > tif->tif_size)
+		/* Check for overflow. */
+		if ((tsize_t)dir->tdir_offset + cc < (tsize_t)dir->tdir_offset
+		    || (tsize_t)dir->tdir_offset + cc < cc
+		    || (tsize_t)dir->tdir_offset + cc > (tsize_t)tif->tif_size)
 			goto bad;
 		_TIFFmemcpy(cp, tif->tif_base + dir->tdir_offset, cc);
 	}