Fix addition overflows in range checks in LoaderTiff::getData

Several checks for extracted values performed no overflow checks on the addition. They can be tricked into passing, albeit the individual summands are too large. => use Safe::add() which now aborts when an overflow occurs This fixes Exiv2#366
dirkmueller · Jun 11, 2018 · fe70939 · fe70939
1 parent 9b08354
commit fe70939
Showing 1 changed file with 3 additions and 3 deletions.
diff --git a/src/preview.cpp b/src/preview.cpp
@@ -801,7 +801,7 @@ namespace {
                     // this saves one copying of the buffer
                     uint32_t offset = dataValue.toLong(0);
                     uint32_t size = sizes.toLong(0);
-                    if (offset + size <= static_cast<uint32_t>(io.size()))
+                    if (Safe::add(offset, size) <= static_cast<uint32_t>(io.size()))
                         dataValue.setDataArea(base + offset, size);
                 }
                 else {
@@ -811,8 +811,8 @@ namespace {
                     for (int i = 0; i < sizes.count(); i++) {
                         uint32_t offset = dataValue.toLong(i);
                         uint32_t size = sizes.toLong(i);
-                        enforce(idxBuf + size < size_, kerCorruptedMetadata);
-                        if (size!=0 && offset + size <= static_cast<uint32_t>(io.size()))
+                        enforce(Safe::add(idxBuf, size) < size_, kerCorruptedMetadata);
+                        if (size!=0 && Safe::add(offset, size) <= static_cast<uint32_t>(io.size()))
                             memcpy(&buf.pData_[idxBuf], base + offset, size);
                         idxBuf += size;
                     }