diff options
author | Nicolas Pena <npm@chromium.org> | 2017-07-28 13:23:59 -0400 |
---|---|---|
committer | Chromium commit bot <commit-bot@chromium.org> | 2017-07-28 18:39:37 +0000 |
commit | d3c6f8119a4c6cd143c6f2f3f874705f57afaf36 (patch) | |
tree | 8672cae6a59eb845827bce3532ededd26fc8a55b | |
parent | 90555e06b0c03777bca17ca423b765b3cb517f56 (diff) | |
download | pdfium-d3c6f8119a4c6cd143c6f2f3f874705f57afaf36.tar.xz |
LibTIFF: upstream patch to fix null dereference
This CL applies this patch that fixes a recent null dereference regression:
https://github.com/vadz/libtiff/commit/57f4b28c00d78bd5d74768585d0e46b2e12e94f7
Bug: chromium:743621
Change-Id: I0f9d4321dc6ea71dd31cf0ba8420cc25d401f0d8
Reviewed-on: https://pdfium-review.googlesource.com/9490
Reviewed-by: Tom Sepez <tsepez@chromium.org>
Commit-Queue: Nicolás Peña <npm@chromium.org>
-rw-r--r-- | third_party/libtiff/0026-upstream-null-dereference.patch | 22 | ||||
-rw-r--r-- | third_party/libtiff/README.pdfium | 1 | ||||
-rw-r--r-- | third_party/libtiff/tif_getimage.c | 4 |
3 files changed, 25 insertions, 2 deletions
diff --git a/third_party/libtiff/0026-upstream-null-dereference.patch b/third_party/libtiff/0026-upstream-null-dereference.patch new file mode 100644 index 0000000000..052645ff8a --- /dev/null +++ b/third_party/libtiff/0026-upstream-null-dereference.patch @@ -0,0 +1,22 @@ +diff --git a/third_party/libtiff/tif_getimage.c b/third_party/libtiff/tif_getimage.c +index 03c9a81fb..d37f729c4 100644 +--- a/third_party/libtiff/tif_getimage.c ++++ b/third_party/libtiff/tif_getimage.c +@@ -681,7 +681,7 @@ gtTileContig(TIFFRGBAImage* img, uint32* raster, uint32 w, uint32 h) + return (0); + } + leftmost_toskew = safeskew; +- for (row = 0; row < h; row += nrow) ++ for (row = 0; ret != 0 && row < h; row += nrow) + { + rowstoread = th - (row + img->row_offset) % th; + nrow = (row + rowstoread > h ? h - row : rowstoread); +@@ -830,7 +830,7 @@ gtTileSeparate(TIFFRGBAImage* img, uint32* raster, uint32 w, uint32 h) + leftmost_fromskew = img->col_offset % tw; + leftmost_tw = tw - leftmost_fromskew; + leftmost_toskew = toskew + leftmost_fromskew; +- for (row = 0; row < h; row += nrow) ++ for (row = 0; ret != 0 && row < h; row += nrow) + { + rowstoread = th - (row + img->row_offset) % th; + nrow = (row + rowstoread > h ? h - row : rowstoread); diff --git a/third_party/libtiff/README.pdfium b/third_party/libtiff/README.pdfium index d8812077c1..80cc6371f4 100644 --- a/third_party/libtiff/README.pdfium +++ b/third_party/libtiff/README.pdfium @@ -15,3 +15,4 @@ Local Modifications: 0008-HeapBufferOverflow-ChopUpSingleUncompressedStrip.patch: Fix a heap buffer overflow 0017-safe_skews_in_gtTileContig.patch: return error if to/from skews overflow from int32. 0025-upstream-OOM-gtTileContig: allocates the decoded buffer only after a first successful TIFFFillStrip. +0026-upstream-null-dereference: properly evit when stoponerr is set and avoid null dereferences. diff --git a/third_party/libtiff/tif_getimage.c b/third_party/libtiff/tif_getimage.c index 03c9a81fb6..d37f729c46 100644 --- a/third_party/libtiff/tif_getimage.c +++ b/third_party/libtiff/tif_getimage.c @@ -681,7 +681,7 @@ gtTileContig(TIFFRGBAImage* img, uint32* raster, uint32 w, uint32 h) return (0); } leftmost_toskew = safeskew; - for (row = 0; row < h; row += nrow) + for (row = 0; ret != 0 && row < h; row += nrow) { rowstoread = th - (row + img->row_offset) % th; nrow = (row + rowstoread > h ? h - row : rowstoread); @@ -830,7 +830,7 @@ gtTileSeparate(TIFFRGBAImage* img, uint32* raster, uint32 w, uint32 h) leftmost_fromskew = img->col_offset % tw; leftmost_tw = tw - leftmost_fromskew; leftmost_toskew = toskew + leftmost_fromskew; - for (row = 0; row < h; row += nrow) + for (row = 0; ret != 0 && row < h; row += nrow) { rowstoread = th - (row + img->row_offset) % th; nrow = (row + rowstoread > h ? h - row : rowstoread); |