$OpenBSD: patch-src_common_imagtiff_cpp,v 1.1 2009/06/11 08:32:42 jasper Exp $

Security fix for part 2 or SA35292 (wxWidgets Double Free Vulnerability).
Patch from upstream svn -r60879 and -r60897.

--- src/common/imagtiff.cpp.orig	Wed Nov 21 13:41:57 2007
+++ src/common/imagtiff.cpp	Thu Jun 11 10:12:09 2009
@@ -261,7 +261,6 @@ bool wxTIFFHandler::LoadFile( wxImage *image, wxInputS
     }
 
     uint32 w, h;
-    uint32 npixels;
     uint32 *raster;
 
     TIFFGetField( tif, TIFFTAG_IMAGEWIDTH, &w );
@@ -275,9 +274,20 @@ bool wxTIFFHandler::LoadFile( wxImage *image, wxInputS
                            (samplesInfo[0] == EXTRASAMPLE_ASSOCALPHA ||
                             samplesInfo[0] == EXTRASAMPLE_UNASSALPHA));
 
-    npixels = w * h;
+    // guard against integer overflow during multiplication which could result
+    // in allocating a too small buffer and then overflowing it
+    const double bytesNeeded = (double)w * (double)h * sizeof(uint32);
+    if ( bytesNeeded >= 4294967295U /* UINT32_MAX */ )
+    {
+        if ( verbose )
+            wxLogError( _("TIFF: Image size is abnormally big.") );
 
-    raster = (uint32*) _TIFFmalloc( npixels * sizeof(uint32) );
+        TIFFClose(tif);
+
+        return false;
+    }
+
+    raster = (uint32*) _TIFFmalloc( bytesNeeded );
 
     if (!raster)
     {
