Make tiff_read return actual length read

The return value is used to determine whether TIFFReadFile fails. If we return just the length, libtiff will try reading uninitilized values afterwards, on corrupted files. BUG=679230, 670928 Change-Id: I579adc9d8a00e8cafab45dbdb728f1cb702da051 Reviewed-on: https://pdfium-review.googlesource.com/2172 Commit-Queue: Nicolás Peña <npm@chromium.org> Reviewed-by: Tom Sepez <tsepez@chromium.org>
author: Nicolas Pena <npm@chromium.org> 2017-01-11 16:39:20 -0500
committer: Chromium commit bot <commit-bot@chromium.org> 2017-01-11 21:57:03 +0000
commit: 5e3121beff936df1b0af3749447eeda1666d5d76 (patch)
tree: 90fdf7f63b5880c4f0e5f12c38e05be65467f2e3
parent: 96f482c9cd3c99425fd3422251903b1218253c66 (diff)
download: pdfium-5e3121beff936df1b0af3749447eeda1666d5d76.tar.xz
1 files changed, 5 insertions, 1 deletions
diff --git a/core/fxcodec/codec/fx_codec_tiff.cpp b/core/fxcodec/codec/fx_codec_tiff.cpp
index cf38d71b37..7818a34ec6 100644
--- a/core/fxcodec/codec/fx_codec_tiff.cpp
+++ b/core/fxcodec/codec/fx_codec_tiff.cpp
@@ -100,10 +100,14 @@ tsize_t tiff_read(thandle_t context, tdata_t buf, tsize_t length) {
   if (!increment.IsValid())
     return 0;
 
-  if (!pTiffContext->io_in()->ReadBlock(buf, pTiffContext->offset(), length))
+  FX_FILESIZE offset = pTiffContext->offset();
+  if (!pTiffContext->io_in()->ReadBlock(buf, offset, length))
     return 0;
 
   pTiffContext->set_offset(increment.ValueOrDie());
+  if (offset + length > pTiffContext->io_in()->GetSize())
+    return pTiffContext->io_in()->GetSize() - offset;
+
   return length;
 }
author	Nicolas Pena <npm@chromium.org>	2017-01-11 16:39:20 -0500
committer	Chromium commit bot <commit-bot@chromium.org>	2017-01-11 21:57:03 +0000
commit	5e3121beff936df1b0af3749447eeda1666d5d76 (patch)
tree	90fdf7f63b5880c4f0e5f12c38e05be65467f2e3
parent	96f482c9cd3c99425fd3422251903b1218253c66 (diff)
download	pdfium-5e3121beff936df1b0af3749447eeda1666d5d76.tar.xz