## Submitted by yangx92 at hotmail dot com on 2018-09-07 07:08 **[Link to original bug (#2810)](http://bugzilla.maptools.org/show_bug.cgi?id=2810)** ## Description ``` There is a potential int32 overflow in multiply_ms function in tools/ppm2tiff.c. static tmsize_t multiply_ms(tmsize_t m1, tmsize_t m2) { tmsize_t bytes = m1 * m2; if (m1 && bytes / m1 != m2) bytes = 0; return bytes; } Below is the proposal patch for the issue. +#define TIFF_SIZE_T_MAX ((size_t) ~ ((size_t)0)) +#define TIFF_TMSIZE_T_MAX (tmsize_t)(TIFF_SIZE_T_MAX >> 1) + static tmsize_t multiply_ms(tmsize_t m1, tmsize_t m2) { - tmsize_t bytes = m1 * m2; - - if (m1 && bytes / m1 != m2) - bytes = 0; - - return bytes; + if( m1 == 0 || m2 > TIFF_TMSIZE_T_MAX / m1 ) + return 0; + return m1 * m2; } ```