Make TIFF parsing a bit safer

At least on 64-bit systems, 32-bit may still have holes.
author: Přemysl Eric Janouch <p@janouch.name> 2023-05-28 03:22:36 +0200
committer: Přemysl Eric Janouch <p@janouch.name> 2023-05-28 08:12:22 +0200
commit: 902eaf5a015145c56894f21315420de29f28337c (patch)
tree: 9b01a3f5e04080dd7c0b9690d260b46c3236a9ee /fiv-io.c
parent: df7c7b9f6b12a80f3a1de01c35e77ef2f919d28e (diff)
download: fiv-902eaf5a015145c56894f21315420de29f28337c.tar.gz
fiv-902eaf5a015145c56894f21315420de29f28337c.tar.xz
fiv-902eaf5a015145c56894f21315420de29f28337c.zip
1 files changed, 4 insertions, 5 deletions
diff --git a/fiv-io.c b/fiv-io.c
index 7659fa8..503a086 100644
--- a/fiv-io.c
+++ b/fiv-io.c
@@ -1844,11 +1844,10 @@ tiff_ep_find_jpeg_evaluate(const struct tiffer *T, struct tiff_ep_jpeg *out)
 	}
 
 	int64_t ipointer = 0, ilength = 0;
-	if (!tiffer_find_integer(T, tag_pointer, &ipointer) ||
-		!tiffer_find_integer(T, tag_length, &ilength) ||
-		ipointer <= 0 || ilength <= 0 ||
-		(uint64_t) ilength > SIZE_MAX ||
-		ipointer + ilength > (T->end - T->begin))
+	if (!tiffer_find_integer(T, tag_pointer, &ipointer) || ipointer <= 0 ||
+		!tiffer_find_integer(T, tag_length, &ilength) || ilength <= 0 ||
+		ipointer > T->end - T->begin ||
+		T->end - T->begin - ipointer < ilength)
 		return;
 
 	// Note that to get the largest JPEG,
author	Přemysl Eric Janouch <p@janouch.name>	2023-05-28 03:22:36 +0200
committer	Přemysl Eric Janouch <p@janouch.name>	2023-05-28 08:12:22 +0200
commit	902eaf5a015145c56894f21315420de29f28337c (patch)
tree	9b01a3f5e04080dd7c0b9690d260b46c3236a9ee /fiv-io.c
parent	df7c7b9f6b12a80f3a1de01c35e77ef2f919d28e (diff)
download	fiv-902eaf5a015145c56894f21315420de29f28337c.tar.gz fiv-902eaf5a015145c56894f21315420de29f28337c.tar.xz fiv-902eaf5a015145c56894f21315420de29f28337c.zip