diff options
author | dsinclair <dsinclair@chromium.org> | 2016-10-03 13:59:57 -0700 |
---|---|---|
committer | Commit bot <commit-bot@chromium.org> | 2016-10-03 13:59:57 -0700 |
commit | 76383db4906c9357292846ace77566b34eb47de9 (patch) | |
tree | 60b3a5fa45ffca5c8f1b0c6b834e934a88c6a82e | |
parent | abab61a1fcd776964a15c528dd2dd034fb31edf0 (diff) | |
download | pdfium-chromium/2880.tar.xz |
Fix potentially uninitialized value.chromium/2880
Depending on what ReadOK does it's possible for |dircount16| to be used without
being initialized. The read code calls back into PDFium specific code which then
calls into the stream reading code.
Initialize the value to be sure it is set.
BUG=chromium:651632
Review-Url: https://codereview.chromium.org/2389993002
-rw-r--r-- | third_party/libtiff/0007-uninitialized-value.patch | 13 | ||||
-rw-r--r-- | third_party/libtiff/README.pdfium | 1 | ||||
-rw-r--r-- | third_party/libtiff/tif_dirread.c | 2 |
3 files changed, 15 insertions, 1 deletions
diff --git a/third_party/libtiff/0007-uninitialized-value.patch b/third_party/libtiff/0007-uninitialized-value.patch new file mode 100644 index 0000000000..f6e9806181 --- /dev/null +++ b/third_party/libtiff/0007-uninitialized-value.patch @@ -0,0 +1,13 @@ +diff --git a/third_party/libtiff/tif_dirread.c b/third_party/libtiff/tif_dirread.c +index 5ef3264..bc41021 100644 +--- a/third_party/libtiff/tif_dirread.c ++++ b/third_party/libtiff/tif_dirread.c +@@ -4443,7 +4443,7 @@ TIFFFetchDirectory(TIFF* tif, uint64 diroff, TIFFDirEntry** pdir, + static const char module[] = "TIFFFetchDirectory"; + + void* origdir; +- uint16 dircount16; ++ uint16 dircount16 = 0; + uint32 dirsize; + TIFFDirEntry* dir; + uint8* ma; diff --git a/third_party/libtiff/README.pdfium b/third_party/libtiff/README.pdfium index 936cd94e90..2f9c4f929f 100644 --- a/third_party/libtiff/README.pdfium +++ b/third_party/libtiff/README.pdfium @@ -16,3 +16,4 @@ Local Modifications: 0004-CVE-2015-8784.patch: Security fixes 0005-Leak-TIFFFetchStripThing.patch: Fix a memory leak 0006-HeapBufferOverflow-ChopUpSingleUncompressedStrip.patch: Fix a heap buffer overflow +0007-uninitialized-value.patch: Fix potentially uninitialized dircount value diff --git a/third_party/libtiff/tif_dirread.c b/third_party/libtiff/tif_dirread.c index 5ef326485b..bc4102184c 100644 --- a/third_party/libtiff/tif_dirread.c +++ b/third_party/libtiff/tif_dirread.c @@ -4443,7 +4443,7 @@ TIFFFetchDirectory(TIFF* tif, uint64 diroff, TIFFDirEntry** pdir, static const char module[] = "TIFFFetchDirectory"; void* origdir; - uint16 dircount16; + uint16 dircount16 = 0; uint32 dirsize; TIFFDirEntry* dir; uint8* ma; |