INTEGER_OVERFLOW_L2-libtiff/tif_read.c:753-MEDIUM
Varangian Defect Detector Bot:
Varangian is a bot which uses Augmented Static Analysis to automatically create issues for bugs in the latest commit. More information: https://github.com/AICoE/Varangian
Description:
Infer bug type: INTEGER_OVERFLOW_L2
Location: libtiff/tif_read.c:753
Description: libtiff/tif_read.c:753:5: Binary operation: ([1, 9223372036854775807] × 10):unsigned64
Likelihood: MEDIUM
Possible bug location:
libtiff/tif_read.c:753
libtiff/tif_read.c:753:5: Binary operation: ([1, 9223372036854775807] × 10):unsigned64
751. (bytecount - 4096) / 10 > (uint64_t)stripsize )
752. {
753. uint64_t newbytecount = (uint64_t)stripsize * 10 + 4096;
^
754. if( newbytecount == 0 || newbytecount > (uint64_t)TIFF_INT64_MAX )
755. {
All traces:
Show trace for bug with rank 3
Bug Rank: 3#1337
libtiff/tif_read.c:753: error: Integer Overflow L2
([1, 9223372036854775807] × 10):unsigned64.
libtiff/tif_read.c:733:24: <LHS trace>
731. if ((tif->tif_flags&TIFF_NOREADRAW)==0)
732. {
733. uint64_t bytecount = TIFFGetStrileByteCount(tif, strip);
^
734. if( bytecount == 0 || bytecount > (uint64_t)TIFF_INT64_MAX ) {
735. TIFFErrorExt(tif->tif_clientdata, module,
libtiff/tif_read.c:733:24: Call
731. if ((tif->tif_flags&TIFF_NOREADRAW)==0)
732. {
733. uint64_t bytecount = TIFFGetStrileByteCount(tif, strip);
^
734. if( bytecount == 0 || bytecount > (uint64_t)TIFF_INT64_MAX ) {
735. TIFFErrorExt(tif->tif_clientdata, module,
libtiff/tif_dirread.c:6418:12: Call
6416. uint64_t TIFFGetStrileByteCount(TIFF *tif, uint32_t strile)
6417. {
6418. return TIFFGetStrileByteCountWithErr(tif, strile, NULL);
^
6419. }
6420.
libtiff/tif_dirread.c:6425:12: Call
6423. {
6424. TIFFDirectory *td = &tif->tif_dir;
6425. return _TIFFGetStrileOffsetOrByteCountValue(tif, strile,
^
6426. &(td->td_stripbytecount_entry),
6427. &(td->td_stripbytecount_p), pbErr);
libtiff/tif_dirread.c:6387:18: Assignment
6385. if( pbErr )
6386. *pbErr = 1;
6387. return 0;
^
6388. }
6389. }
libtiff/tif_dirread.c:6425:5: Assignment
6423. {
6424. TIFFDirectory *td = &tif->tif_dir;
6425. return _TIFFGetStrileOffsetOrByteCountValue(tif, strile,
^
6426. &(td->td_stripbytecount_entry),
6427. &(td->td_stripbytecount_p), pbErr);
libtiff/tif_dirread.c:6418:5: Assignment
6416. uint64_t TIFFGetStrileByteCount(TIFF *tif, uint32_t strile)
6417. {
6418. return TIFFGetStrileByteCountWithErr(tif, strile, NULL);
^
6419. }
6420.
libtiff/tif_read.c:733:3: Assignment
731. if ((tif->tif_flags&TIFF_NOREADRAW)==0)
732. {
733. uint64_t bytecount = TIFFGetStrileByteCount(tif, strip);
^
734. if( bytecount == 0 || bytecount > (uint64_t)TIFF_INT64_MAX ) {
735. TIFFErrorExt(tif->tif_clientdata, module,
libtiff/tif_read.c:753:5: Binary operation: ([1, 9223372036854775807] × 10):unsigned64
751. (bytecount - 4096) / 10 > (uint64_t)stripsize )
752. {
753. uint64_t newbytecount = (uint64_t)stripsize * 10 + 4096;
^
754. if( newbytecount == 0 || newbytecount > (uint64_t)TIFF_INT64_MAX )
755. {
Show trace for bug with rank 6
Bug Rank: 6#1338
libtiff/tif_read.c:753: error: Integer Overflow L2
([10, 92233720368547758070] + 4096):unsigned64.
libtiff/tif_read.c:733:24: <LHS trace>
731. if ((tif->tif_flags&TIFF_NOREADRAW)==0)
732. {
733. uint64_t bytecount = TIFFGetStrileByteCount(tif, strip);
^
734. if( bytecount == 0 || bytecount > (uint64_t)TIFF_INT64_MAX ) {
735. TIFFErrorExt(tif->tif_clientdata, module,
libtiff/tif_read.c:733:24: Call
731. if ((tif->tif_flags&TIFF_NOREADRAW)==0)
732. {
733. uint64_t bytecount = TIFFGetStrileByteCount(tif, strip);
^
734. if( bytecount == 0 || bytecount > (uint64_t)TIFF_INT64_MAX ) {
735. TIFFErrorExt(tif->tif_clientdata, module,
libtiff/tif_dirread.c:6418:12: Call
6416. uint64_t TIFFGetStrileByteCount(TIFF *tif, uint32_t strile)
6417. {
6418. return TIFFGetStrileByteCountWithErr(tif, strile, NULL);
^
6419. }
6420.
libtiff/tif_dirread.c:6425:12: Call
6423. {
6424. TIFFDirectory *td = &tif->tif_dir;
6425. return _TIFFGetStrileOffsetOrByteCountValue(tif, strile,
^
6426. &(td->td_stripbytecount_entry),
6427. &(td->td_stripbytecount_p), pbErr);
libtiff/tif_dirread.c:6387:18: Assignment
6385. if( pbErr )
6386. *pbErr = 1;
6387. return 0;
^
6388. }
6389. }
libtiff/tif_dirread.c:6425:5: Assignment
6423. {
6424. TIFFDirectory *td = &tif->tif_dir;
6425. return _TIFFGetStrileOffsetOrByteCountValue(tif, strile,
^
6426. &(td->td_stripbytecount_entry),
6427. &(td->td_stripbytecount_p), pbErr);
libtiff/tif_dirread.c:6418:5: Assignment
6416. uint64_t TIFFGetStrileByteCount(TIFF *tif, uint32_t strile)
6417. {
6418. return TIFFGetStrileByteCountWithErr(tif, strile, NULL);
^
6419. }
6420.
libtiff/tif_read.c:733:3: Assignment
731. if ((tif->tif_flags&TIFF_NOREADRAW)==0)
732. {
733. uint64_t bytecount = TIFFGetStrileByteCount(tif, strip);
^
734. if( bytecount == 0 || bytecount > (uint64_t)TIFF_INT64_MAX ) {
735. TIFFErrorExt(tif->tif_clientdata, module,
libtiff/tif_read.c:753:5: Binary operation: ([10, 92233720368547758070] + 4096):unsigned64
751. (bytecount - 4096) / 10 > (uint64_t)stripsize )
752. {
753. uint64_t newbytecount = (uint64_t)stripsize * 10 + 4096;
^
754. if( newbytecount == 0 || newbytecount > (uint64_t)TIFF_INT64_MAX )
755. {
Feedback
Please open issues here if you have any feedback you would like to give us.