summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorLei Zhang <thestig@chromium.org>2017-11-07 00:28:58 +0000
committerChromium commit bot <commit-bot@chromium.org>2017-11-07 00:28:58 +0000
commit064a3e108b2a2aefde6e0be5f7246b02af6f8aab (patch)
tree703058c10ab340aa628f5197061219c0ed190a8e
parent6c3665776eb6276be2b2314cd4242e7c21610ea2 (diff)
downloadpdfium-064a3e108b2a2aefde6e0be5f7246b02af6f8aab.tar.xz
Prevent an OOM error in libtiff.
BUG=chromium:781582 Change-Id: I17711956884d1902cbd86f2163155b256402ecda Reviewed-on: https://pdfium-review.googlesource.com/17891 Reviewed-by: Chris Palmer <palmer@chromium.org> Commit-Queue: Lei Zhang <thestig@chromium.org>
-rw-r--r--third_party/libtiff/0028-nstrips-OOM.patch26
-rw-r--r--third_party/libtiff/README.pdfium1
-rw-r--r--third_party/libtiff/tif_dirread.c8
3 files changed, 35 insertions, 0 deletions
diff --git a/third_party/libtiff/0028-nstrips-OOM.patch b/third_party/libtiff/0028-nstrips-OOM.patch
new file mode 100644
index 0000000000..a6db66ee88
--- /dev/null
+++ b/third_party/libtiff/0028-nstrips-OOM.patch
@@ -0,0 +1,26 @@
+diff --git a/third_party/libtiff/tif_dirread.c b/third_party/libtiff/tif_dirread.c
+index 772ebaf7d..ab938eac9 100644
+--- a/third_party/libtiff/tif_dirread.c
++++ b/third_party/libtiff/tif_dirread.c
+@@ -41,6 +41,7 @@
+
+ #include "tiffiop.h"
+ #include <float.h>
++#include <limits.h>
+
+ #define IGNORE 0 /* tag placeholder used below */
+ #define FAILED_FII ((uint32) -1)
+@@ -3638,6 +3639,13 @@ TIFFReadDirectory(TIFF* tif)
+ isTiled(tif) ? "tiles" : "strips");
+ goto bad;
+ }
++ if (tif->tif_dir.td_nstrips > INT_MAX) {
++ TIFFErrorExt(tif->tif_clientdata, module,
++ "Cannot handle %u number of %s",
++ tif->tif_dir.td_nstrips,
++ isTiled(tif) ? "tiles" : "strips");
++ goto bad;
++ }
+ tif->tif_dir.td_stripsperimage = tif->tif_dir.td_nstrips;
+ if (tif->tif_dir.td_planarconfig == PLANARCONFIG_SEPARATE)
+ tif->tif_dir.td_stripsperimage /= tif->tif_dir.td_samplesperpixel;
diff --git a/third_party/libtiff/README.pdfium b/third_party/libtiff/README.pdfium
index 39a8b5f025..a370a49ce7 100644
--- a/third_party/libtiff/README.pdfium
+++ b/third_party/libtiff/README.pdfium
@@ -17,3 +17,4 @@ Local Modifications:
0025-upstream-OOM-gtTileContig: allocates the decoded buffer only after a first successful TIFFFillStrip.
0026-upstream-null-dereference: properly evit when stoponerr is set and avoid null dereferences.
0027-build-config.patch: #define variables so their value can be used by #if.
+0028-nstrips-OOM.patch: return error for excess number of tiles/strips.
diff --git a/third_party/libtiff/tif_dirread.c b/third_party/libtiff/tif_dirread.c
index 772ebaf7d4..ab938eac9d 100644
--- a/third_party/libtiff/tif_dirread.c
+++ b/third_party/libtiff/tif_dirread.c
@@ -41,6 +41,7 @@
#include "tiffiop.h"
#include <float.h>
+#include <limits.h>
#define IGNORE 0 /* tag placeholder used below */
#define FAILED_FII ((uint32) -1)
@@ -3638,6 +3639,13 @@ TIFFReadDirectory(TIFF* tif)
isTiled(tif) ? "tiles" : "strips");
goto bad;
}
+ if (tif->tif_dir.td_nstrips > INT_MAX) {
+ TIFFErrorExt(tif->tif_clientdata, module,
+ "Cannot handle %u number of %s",
+ tif->tif_dir.td_nstrips,
+ isTiled(tif) ? "tiles" : "strips");
+ goto bad;
+ }
tif->tif_dir.td_stripsperimage = tif->tif_dir.td_nstrips;
if (tif->tif_dir.td_planarconfig == PLANARCONFIG_SEPARATE)
tif->tif_dir.td_stripsperimage /= tif->tif_dir.td_samplesperpixel;