Merge pull request OSGeo#11872 from rouault/fix_ossfuzz_397740496

rouault · web-flow · commit 26fc9a3fedb5 · 2025-02-20T10:07:20.000+01:00
third_party/libertiff: tileCoordinateToIdx(): avoid potential harmless unsigned-int-overflow (ossfuzz#397740496)
diff --git a/third_party/libertiff/libertiff.hpp b/third_party/libertiff/libertiff.hpp
@@ -1084,18 +1084,26 @@ class Image
     {
         if (m_isTiled && m_tileWidth > 0 && m_tileHeight > 0)
         {
-            const auto lTilesPerRow = tilesPerRow();
-            const auto lTilesPerCol = tilesPerCol();
+            const uint32_t lTilesPerRow = tilesPerRow();
+            const uint32_t lTilesPerCol = tilesPerCol();
             if (xtile >= lTilesPerRow || ytile >= lTilesPerCol)
             {
                 ok = false;
                 return 0;
             }
-            auto idx = uint64_t(ytile) * lTilesPerRow + xtile;
+            uint64_t idx = uint64_t(ytile) * lTilesPerRow + xtile;
             if (bandIdx &&
                 m_planarConfiguration == PlanarConfiguration::Separate)
             {
-                idx += uint64_t(bandIdx) * lTilesPerCol * lTilesPerRow;
+                const uint64_t lTotalTiles =
+                    uint64_t(lTilesPerCol) * lTilesPerRow;
+                if (lTotalTiles >
+                    std::numeric_limits<uint64_t>::max() / bandIdx)
+                {
+                    ok = false;
+                    return 0;
+                }
+                idx += bandIdx * lTotalTiles;
             }
             return idx;
         }

Original file line number	Diff line number	Diff line change
`@@ -1084,18 +1084,26 @@ class Image`
`1084`	`1084`	`{`
`1085`	`1085`	`if (m_isTiled && m_tileWidth > 0 && m_tileHeight > 0)`
`1086`	`1086`	`{`
`1087`		`- const auto lTilesPerRow = tilesPerRow();`
`1088`		`- const auto lTilesPerCol = tilesPerCol();`
	`1087`	`+ const uint32_t lTilesPerRow = tilesPerRow();`
	`1088`	`+ const uint32_t lTilesPerCol = tilesPerCol();`
`1089`	`1089`	`if (xtile >= lTilesPerRow \|\| ytile >= lTilesPerCol)`
`1090`	`1090`	`{`
`1091`	`1091`	`ok = false;`
`1092`	`1092`	`return 0;`
`1093`	`1093`	`}`
`1094`		`- auto idx = uint64_t(ytile) * lTilesPerRow + xtile;`
	`1094`	`+ uint64_t idx = uint64_t(ytile) * lTilesPerRow + xtile;`
`1095`	`1095`	`if (bandIdx &&`
`1096`	`1096`	`m_planarConfiguration == PlanarConfiguration::Separate)`
`1097`	`1097`	`{`
`1098`		`- idx += uint64_t(bandIdx) * lTilesPerCol * lTilesPerRow;`
	`1098`	`+ const uint64_t lTotalTiles =`
	`1099`	`+ uint64_t(lTilesPerCol) * lTilesPerRow;`
	`1100`	`+ if (lTotalTiles >`
	`1101`	`+ std::numeric_limits<uint64_t>::max() / bandIdx)`
	`1102`	`+ {`
	`1103`	`+ ok = false;`
	`1104`	`+ return 0;`
	`1105`	`+ }`
	`1106`	`+ idx += bandIdx * lTotalTiles;`
`1099`	`1107`	`}`
`1100`	`1108`	`return idx;`
`1101`	`1109`	`}`