From 902eaf5a015145c56894f21315420de29f28337c Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?P=C5=99emysl=20Eric=20Janouch?= <p@janouch.name>
Date: Sun, 28 May 2023 03:22:36 +0200
Subject: Make TIFF parsing a bit safer

At least on 64-bit systems, 32-bit may still have holes.
---
 fiv-io.c | 9 ++++-----
 1 file changed, 4 insertions(+), 5 deletions(-)

(limited to 'fiv-io.c')

diff --git a/fiv-io.c b/fiv-io.c
index 7659fa8..503a086 100644
--- a/fiv-io.c
+++ b/fiv-io.c
@@ -1844,11 +1844,10 @@ tiff_ep_find_jpeg_evaluate(const struct tiffer *T, struct tiff_ep_jpeg *out)
 	}
 
 	int64_t ipointer = 0, ilength = 0;
-	if (!tiffer_find_integer(T, tag_pointer, &ipointer) ||
-		!tiffer_find_integer(T, tag_length, &ilength) ||
-		ipointer <= 0 || ilength <= 0 ||
-		(uint64_t) ilength > SIZE_MAX ||
-		ipointer + ilength > (T->end - T->begin))
+	if (!tiffer_find_integer(T, tag_pointer, &ipointer) || ipointer <= 0 ||
+		!tiffer_find_integer(T, tag_length, &ilength) || ilength <= 0 ||
+		ipointer > T->end - T->begin ||
+		T->end - T->begin - ipointer < ilength)
 		return;
 
 	// Note that to get the largest JPEG,
-- 
cgit v1.2.3