Fix integer overflow in dng_bad_pixels.cpp

author: Kinan Hakim <kinan@google.com> 2016-02-01 10:57:23 +0100
committer: Kinan Hakim <kinan@google.com> 2016-02-01 10:57:23 +0100
commit: f993c498090655d965c28ca56f275bfaa2b05ace (patch)
tree: f8125a29deb64b3b0c0bdb93c4bb2dba0ce76691
parent: 00a8925eb31ca5d88244f0861fb9b22792ea0df4 (diff)
download: dng_sdk-f993c498090655d965c28ca56f275bfaa2b05ace.tar.gz
1 files changed, 4 insertions, 7 deletions
diff --git a/source/dng_bad_pixels.cpp b/source/dng_bad_pixels.cpp
index 77012a4..36c1991 100644
--- a/source/dng_bad_pixels.cpp
+++ b/source/dng_bad_pixels.cpp
@@ -20,6 +20,7 @@
 #include "dng_host.h"
 #include "dng_image.h"
 #include "dng_negative.h"
+#include "dng_safe_arithmetic.h"
 
 #include <algorithm>
 
@@ -589,11 +590,6 @@ dng_opcode_FixBadPixelsList::dng_opcode_FixBadPixelsList
 	
 /*****************************************************************************/
 
-#if defined(__clang__) && defined(__has_attribute)
-#if __has_attribute(no_sanitize)
-__attribute__((no_sanitize("unsigned-integer-overflow")))
-#endif
-#endif
 dng_opcode_FixBadPixelsList::dng_opcode_FixBadPixelsList (dng_stream &stream)
 
 	:	dng_filter_opcode (dngOpcode_FixBadPixelsList,
@@ -612,8 +608,9 @@ dng_opcode_FixBadPixelsList::dng_opcode_FixBadPixelsList (dng_stream &stream)
 	
 	uint32 pCount = stream.Get_uint32 ();
 	uint32 rCount = stream.Get_uint32 ();
-	
-	if (size != 12 + pCount * 8 + rCount * 16)
+	uint32 expectedSize =
+	SafeUint32Add(12, SafeUint32Add(SafeUint32Mult(pCount, 8), SafeUint32Mult(rCount, 16)));
+	if (size != expectedSize)
 		{
 		ThrowBadFormat ();
 		}
author	Kinan Hakim <kinan@google.com>	2016-02-01 10:57:23 +0100
committer	Kinan Hakim <kinan@google.com>	2016-02-01 10:57:23 +0100
commit	f993c498090655d965c28ca56f275bfaa2b05ace (patch)
tree	f8125a29deb64b3b0c0bdb93c4bb2dba0ce76691
parent	00a8925eb31ca5d88244f0861fb9b22792ea0df4 (diff)
download	dng_sdk-f993c498090655d965c28ca56f275bfaa2b05ace.tar.gz