2014.12.27 23:06 "[Tiff] [PATCH] tiff2ps: fix grayscale with unassociated alpha (and other extrasamples != 0)", by Yuriy M. Kaminskiy

2014.12.30 21:45 "Re: [Tiff] [PATCH] tif_luv, tif_pixarlog, ppm2tiff: get rid of duplicates of TIFFSafeMultiply", by Yuriy M. Kaminskiy

Jürgen Buchmüller wrote:

> Am Dienstag, den 30.12.2014, 23:41 +0300 schrieb Yuriy M. Kaminskiy:
>> While fixing that, I noticed some very WTF code: add_ms in
>> libtiff/tif_pixarlog.c and checkAdd64 in tools/tiff2pdf.c
>> I'm not sure what are they trying to do, but I'm pretty sure they are doing it
>> WRONG and both cannot possibly work, due to different reasons. Please take a
>> look or two.
>
> I don't see add_ms in my copy (4.0.3) of the source. multiply_ms looks

It's in CVS HEAD, commit that added it:

tif_pixarlog.c:
revision 1.39

date: 2012-12-10 21:27:13 +0400;  author: tgl;  state: Exp;  lines: +18 -2;

commitid: t2WuwXf96oECEHvw;
Detect integer overflow in addition when computing buffer size.

ChangeLog:
2012-12-10 Tom Lane <tgl@sss.pgh.pa.us>

* libtiff/tif_pixarlog.c: Improve previous patch for CVE-2012-4447 (to enlarge tbuf for possible partial stride at end) so that overflow in the integer addition is detected. Per gripe from Huzaifa Sidhpurwala.

(that's after 4.0.3 release)

like it could work, though. For checkAdd64 I also don't see how it could work as intended.

Perhaps this line would work

        if ((summand1/2 + summand2/2 + 1) & (1ull << 63)) {