summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorNicolas Pena <npm@chromium.org>2017-07-28 13:23:59 -0400
committerChromium commit bot <commit-bot@chromium.org>2017-07-28 18:39:37 +0000
commitd3c6f8119a4c6cd143c6f2f3f874705f57afaf36 (patch)
tree8672cae6a59eb845827bce3532ededd26fc8a55b
parent90555e06b0c03777bca17ca423b765b3cb517f56 (diff)
downloadpdfium-d3c6f8119a4c6cd143c6f2f3f874705f57afaf36.tar.xz
LibTIFF: upstream patch to fix null dereference
This CL applies this patch that fixes a recent null dereference regression: https://github.com/vadz/libtiff/commit/57f4b28c00d78bd5d74768585d0e46b2e12e94f7 Bug: chromium:743621 Change-Id: I0f9d4321dc6ea71dd31cf0ba8420cc25d401f0d8 Reviewed-on: https://pdfium-review.googlesource.com/9490 Reviewed-by: Tom Sepez <tsepez@chromium.org> Commit-Queue: Nicolás Peña <npm@chromium.org>
-rw-r--r--third_party/libtiff/0026-upstream-null-dereference.patch22
-rw-r--r--third_party/libtiff/README.pdfium1
-rw-r--r--third_party/libtiff/tif_getimage.c4
3 files changed, 25 insertions, 2 deletions
diff --git a/third_party/libtiff/0026-upstream-null-dereference.patch b/third_party/libtiff/0026-upstream-null-dereference.patch
new file mode 100644
index 0000000000..052645ff8a
--- /dev/null
+++ b/third_party/libtiff/0026-upstream-null-dereference.patch
@@ -0,0 +1,22 @@
+diff --git a/third_party/libtiff/tif_getimage.c b/third_party/libtiff/tif_getimage.c
+index 03c9a81fb..d37f729c4 100644
+--- a/third_party/libtiff/tif_getimage.c
++++ b/third_party/libtiff/tif_getimage.c
+@@ -681,7 +681,7 @@ gtTileContig(TIFFRGBAImage* img, uint32* raster, uint32 w, uint32 h)
+ return (0);
+ }
+ leftmost_toskew = safeskew;
+- for (row = 0; row < h; row += nrow)
++ for (row = 0; ret != 0 && row < h; row += nrow)
+ {
+ rowstoread = th - (row + img->row_offset) % th;
+ nrow = (row + rowstoread > h ? h - row : rowstoread);
+@@ -830,7 +830,7 @@ gtTileSeparate(TIFFRGBAImage* img, uint32* raster, uint32 w, uint32 h)
+ leftmost_fromskew = img->col_offset % tw;
+ leftmost_tw = tw - leftmost_fromskew;
+ leftmost_toskew = toskew + leftmost_fromskew;
+- for (row = 0; row < h; row += nrow)
++ for (row = 0; ret != 0 && row < h; row += nrow)
+ {
+ rowstoread = th - (row + img->row_offset) % th;
+ nrow = (row + rowstoread > h ? h - row : rowstoread);
diff --git a/third_party/libtiff/README.pdfium b/third_party/libtiff/README.pdfium
index d8812077c1..80cc6371f4 100644
--- a/third_party/libtiff/README.pdfium
+++ b/third_party/libtiff/README.pdfium
@@ -15,3 +15,4 @@ Local Modifications:
0008-HeapBufferOverflow-ChopUpSingleUncompressedStrip.patch: Fix a heap buffer overflow
0017-safe_skews_in_gtTileContig.patch: return error if to/from skews overflow from int32.
0025-upstream-OOM-gtTileContig: allocates the decoded buffer only after a first successful TIFFFillStrip.
+0026-upstream-null-dereference: properly evit when stoponerr is set and avoid null dereferences.
diff --git a/third_party/libtiff/tif_getimage.c b/third_party/libtiff/tif_getimage.c
index 03c9a81fb6..d37f729c46 100644
--- a/third_party/libtiff/tif_getimage.c
+++ b/third_party/libtiff/tif_getimage.c
@@ -681,7 +681,7 @@ gtTileContig(TIFFRGBAImage* img, uint32* raster, uint32 w, uint32 h)
return (0);
}
leftmost_toskew = safeskew;
- for (row = 0; row < h; row += nrow)
+ for (row = 0; ret != 0 && row < h; row += nrow)
{
rowstoread = th - (row + img->row_offset) % th;
nrow = (row + rowstoread > h ? h - row : rowstoread);
@@ -830,7 +830,7 @@ gtTileSeparate(TIFFRGBAImage* img, uint32* raster, uint32 w, uint32 h)
leftmost_fromskew = img->col_offset % tw;
leftmost_tw = tw - leftmost_fromskew;
leftmost_toskew = toskew + leftmost_fromskew;
- for (row = 0; row < h; row += nrow)
+ for (row = 0; ret != 0 && row < h; row += nrow)
{
rowstoread = th - (row + img->row_offset) % th;
nrow = (row + rowstoread > h ? h - row : rowstoread);