Libtiff upstream fix for TIFFFetchNormalTagchromium/3007

Upstream commits: https://github.com/vadz/libtiff/commit/30c9234c7fd0dd5e8b1e83ad44370c875a0270ed https://github.com/vadz/libtiff/commit/89406285f318ffad27af4b200204394b2ee6ba5e BUG=690124 Change-Id: I8388ae37e94f4e62cd8f9688baf9cf5416348d0c Reviewed-on: https://pdfium-review.googlesource.com/2558 Reviewed-by: dsinclair <dsinclair@chromium.org> Reviewed-by: Tom Sepez <tsepez@chromium.org> Commit-Queue: Nicolás Peña <npm@chromium.org>
author: Nicolas Pena <npm@chromium.org> 2017-02-08 15:39:02 -0500
committer: Chromium commit bot <commit-bot@chromium.org> 2017-02-08 21:07:15 +0000
commit: ac2e04797b258115b2dc768a56377d7e78038f42 (patch)
tree: afbac8e92f28571f126171a6c728b48b99db2bf3
parent: 0fc185ea8a3a7028e566c05cc323e50ebce32d62 (diff)
download: pdfium-ac2e04797b258115b2dc768a56377d7e78038f42.tar.xz
3 files changed, 39 insertions, 0 deletions
diff --git a/third_party/libtiff/0019-fix-invalid-reads-TIFFFetchNormalTag.patch b/third_party/libtiff/0019-fix-invalid-reads-TIFFFetchNormalTag.patch
new file mode 100644
index 0000000000..9ebb7ef8db
--- /dev/null
+++ b/third_party/libtiff/0019-fix-invalid-reads-TIFFFetchNormalTag.patch
@@ -0,0 +1,28 @@
+diff --git a/third_party/libtiff/tif_dirread.c b/third_party/libtiff/tif_dirread.c
+index bc4102184..0e3f8ccd4 100644
+--- a/third_party/libtiff/tif_dirread.c
++++ b/third_party/libtiff/tif_dirread.c
+@@ -4983,6 +4983,11 @@ TIFFFetchNormalTag(TIFF* tif, TIFFDirEntry* dp, int recover)
+                                        if (err==TIFFReadDirEntryErrOk)
+                                        {
+                                                int m;
++                                               if( dp->tdir_count > 0 && data[dp->tdir_count-1] != '\0' )
++                        {
++                            TIFFWarningExt(tif->tif_clientdata,module,"ASCII value for tag \"%s\" does not end in null byte. Forcing it to be null",fip->field_name);
++                            data[dp->tdir_count-1] = '\0';
++                        }
+                                                m=TIFFSetField(tif,dp->tdir_tag,(uint16)(dp->tdir_count),data);
+                                                if (data!=0)
+                                                        _TIFFfree(data);
+@@ -5155,6 +5160,11 @@ TIFFFetchNormalTag(TIFF* tif, TIFFDirEntry* dp, int recover)
+                                if (err==TIFFReadDirEntryErrOk)
+                                {
+                                        int m;
++                                       if( dp->tdir_count > 0 && data[dp->tdir_count-1] != '\0' )
++                    {
++                        TIFFWarningExt(tif->tif_clientdata,module,"ASCII value for tag \"%s\" does not end in null byte. Forcing it to be null",fip->field_name);
++                        data[dp->tdir_count-1] = '\0';
++                    }
+                                        m=TIFFSetField(tif,dp->tdir_tag,(uint32)(dp->tdir_count),data);
+                                        if (data!=0)
+                                                _TIFFfree(data);
diff --git a/third_party/libtiff/README.pdfium b/third_party/libtiff/README.pdfium
index 7057a58a87..6a78a1968b 100644
--- a/third_party/libtiff/README.pdfium
+++ b/third_party/libtiff/README.pdfium
@@ -28,3 +28,4 @@ Local Modifications:
 0016-fix-leak-in-pixarlogsetupdecode.patch: Free sp->tbuf if setup fails
 0017-safe_skews_in_gtTileContig.patch: return error if to/from skews overflow from int32.
 0018-fix-leak-in-PredictorSetupDecode.patch: call tif->tif_cleanup if the setup fails.
+0019-fix-invalid-reads-TIFFFetchNormalTag.patch: upstream security fix in tif_dirread.
diff --git a/third_party/libtiff/tif_dirread.c b/third_party/libtiff/tif_dirread.c
index bc4102184c..0e3f8ccd48 100644
--- a/third_party/libtiff/tif_dirread.c
+++ b/third_party/libtiff/tif_dirread.c
@@ -4983,6 +4983,11 @@ TIFFFetchNormalTag(TIFF* tif, TIFFDirEntry* dp, int recover)
 					if (err==TIFFReadDirEntryErrOk)
 					{
 						int m;
+						if( dp->tdir_count > 0 && data[dp->tdir_count-1] != '\0' )
+                        {
+                            TIFFWarningExt(tif->tif_clientdata,module,"ASCII value for tag \"%s\" does not end in null byte. Forcing it to be null",fip->field_name);
+                            data[dp->tdir_count-1] = '\0';
+                        }
 						m=TIFFSetField(tif,dp->tdir_tag,(uint16)(dp->tdir_count),data);
 						if (data!=0)
 							_TIFFfree(data);
@@ -5155,6 +5160,11 @@ TIFFFetchNormalTag(TIFF* tif, TIFFDirEntry* dp, int recover)
 				if (err==TIFFReadDirEntryErrOk)
 				{
 					int m;
+					if( dp->tdir_count > 0 && data[dp->tdir_count-1] != '\0' )
+                    {
+                        TIFFWarningExt(tif->tif_clientdata,module,"ASCII value for tag \"%s\" does not end in null byte. Forcing it to be null",fip->field_name);
+                        data[dp->tdir_count-1] = '\0';
+                    }
 					m=TIFFSetField(tif,dp->tdir_tag,(uint32)(dp->tdir_count),data);
 					if (data!=0)
 						_TIFFfree(data);
author	Nicolas Pena <npm@chromium.org>	2017-02-08 15:39:02 -0500
committer	Chromium commit bot <commit-bot@chromium.org>	2017-02-08 21:07:15 +0000
commit	ac2e04797b258115b2dc768a56377d7e78038f42 (patch)
tree	afbac8e92f28571f126171a6c728b48b99db2bf3
parent	0fc185ea8a3a7028e566c05cc323e50ebce32d62 (diff)
download	pdfium-ac2e04797b258115b2dc768a56377d7e78038f42.tar.xz