summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authortracy_jiang <tracy_jiang@foxitsoftware.com>2016-08-29 13:42:56 -0700
committerCommit bot <commit-bot@chromium.org>2016-08-29 13:42:56 -0700
commitdda2c0dc502b50d4de66b80305441bfb612ec6c1 (patch)
treefaf28f1b1f12ad9cd41473fa71bdad70c6f361e9
parentc116e597ef4dfac88248d6de0e7c9bdf093b6e7c (diff)
downloadpdfium-dda2c0dc502b50d4de66b80305441bfb612ec6c1.tar.xz
Fix for #618267. Adding a method to determine if multiplication has
overflow. BUG=618267 Review-Url: https://codereview.chromium.org/2284063002
Diffstat
-rw-r--r--core/fxcodec/codec/fx_codec_tiff.cpp4
-rw-r--r--third_party/libtiff/0006-HeapBufferOverflow-ChopUpSingleUncompressedStrip.patch40
-rw-r--r--third_party/libtiff/README.pdfium1
-rw-r--r--third_party/libtiff/tif_aux.c2
-rw-r--r--third_party/libtiff/tiffio.h1
5 files changed, 47 insertions, 1 deletions
diff --git a/core/fxcodec/codec/fx_codec_tiff.cpp b/core/fxcodec/codec/fx_codec_tiff.cpp
index 09cfea4111..20fda6308f 100644
--- a/core/fxcodec/codec/fx_codec_tiff.cpp
+++ b/core/fxcodec/codec/fx_codec_tiff.cpp
@@ -79,6 +79,10 @@ int _TIFFmemcmp(const void* ptr1, const void* ptr2, tmsize_t size) {
return FXSYS_memcmp(ptr1, ptr2, (size_t)size);
}
+int _TIFFIfMultiplicationOverflow(tmsize_t op1, tmsize_t op2) {
+ return op1 > std::numeric_limits<tmsize_t>::max() / op2;
+}
+
TIFFErrorHandler _TIFFwarningHandler = nullptr;
TIFFErrorHandler _TIFFerrorHandler = nullptr;
diff --git a/third_party/libtiff/0006-HeapBufferOverflow-ChopUpSingleUncompressedStrip.patch b/third_party/libtiff/0006-HeapBufferOverflow-ChopUpSingleUncompressedStrip.patch
new file mode 100644
index 0000000000..583f068c95
--- /dev/null
+++ b/third_party/libtiff/0006-HeapBufferOverflow-ChopUpSingleUncompressedStrip.patch
@@ -0,0 +1,40 @@
+diff --git a/core/fxcodec/codec/fx_codec_tiff.cpp b/core/fxcodec/codec/fx_codec_tiff.cpp
+index 09cfea4..20fda63 100644
+--- a/core/fxcodec/codec/fx_codec_tiff.cpp
++++ b/core/fxcodec/codec/fx_codec_tiff.cpp
+@@ -79,6 +79,10 @@ int _TIFFmemcmp(const void* ptr1, const void* ptr2, tmsize_t size) {
+ return FXSYS_memcmp(ptr1, ptr2, (size_t)size);
+ }
+
++int _TIFFIfMultiplicationOverflow(tmsize_t op1, tmsize_t op2) {
++ return op1 > std::numeric_limits<tmsize_t>::max() / op2;
++}
++
+ TIFFErrorHandler _TIFFwarningHandler = nullptr;
+ TIFFErrorHandler _TIFFerrorHandler = nullptr;
+
+diff --git a/third_party/libtiff/tif_aux.c b/third_party/libtiff/tif_aux.c
+index 927150a..3ce3680 100644
+--- a/third_party/libtiff/tif_aux.c
++++ b/third_party/libtiff/tif_aux.c
+@@ -69,7 +69,7 @@ _TIFFCheckRealloc(TIFF* tif, void* buffer,
+ /*
+ * XXX: Check for integer overflow.
+ */
+- if (nmemb && elem_size && bytes / elem_size == nmemb)
++ if (nmemb && elem_size && !_TIFFIfMultiplicationOverflow(nmemb, elem_size))
+ cp = _TIFFrealloc(buffer, bytes);
+
+ if (cp == NULL) {
+diff --git a/third_party/libtiff/tiffio.h b/third_party/libtiff/tiffio.h
+index 038b670..056aed2 100644
+--- a/third_party/libtiff/tiffio.h
++++ b/third_party/libtiff/tiffio.h
+@@ -298,6 +298,7 @@ extern void _TIFFmemset(void* p, int v, tmsize_t c);
+ extern void _TIFFmemcpy(void* d, const void* s, tmsize_t c);
+ extern int _TIFFmemcmp(const void* p1, const void* p2, tmsize_t c);
+ extern void _TIFFfree(void* p);
++extern int _TIFFIfMultiplicationOverflow(tmsize_t op1, tmsize_t op2);
+
+ /*
+ ** Stuff, related to tag handling and creating custom tags.
diff --git a/third_party/libtiff/README.pdfium b/third_party/libtiff/README.pdfium
index 05e4965c4f..936cd94e90 100644
--- a/third_party/libtiff/README.pdfium
+++ b/third_party/libtiff/README.pdfium
@@ -15,3 +15,4 @@ Local Modifications:
0003-CVE-2015-8781-8782-8783.patch: Security fixes
0004-CVE-2015-8784.patch: Security fixes
0005-Leak-TIFFFetchStripThing.patch: Fix a memory leak
+0006-HeapBufferOverflow-ChopUpSingleUncompressedStrip.patch: Fix a heap buffer overflow
diff --git a/third_party/libtiff/tif_aux.c b/third_party/libtiff/tif_aux.c
index 927150a493..3ce3680ab2 100644
--- a/third_party/libtiff/tif_aux.c
+++ b/third_party/libtiff/tif_aux.c
@@ -69,7 +69,7 @@ _TIFFCheckRealloc(TIFF* tif, void* buffer,
/*
* XXX: Check for integer overflow.
*/
- if (nmemb && elem_size && bytes / elem_size == nmemb)
+ if (nmemb && elem_size && !_TIFFIfMultiplicationOverflow(nmemb, elem_size))
cp = _TIFFrealloc(buffer, bytes);
if (cp == NULL) {
diff --git a/third_party/libtiff/tiffio.h b/third_party/libtiff/tiffio.h
index 038b67013f..056aed22f7 100644
--- a/third_party/libtiff/tiffio.h
+++ b/third_party/libtiff/tiffio.h
@@ -298,6 +298,7 @@ extern void _TIFFmemset(void* p, int v, tmsize_t c);
extern void _TIFFmemcpy(void* d, const void* s, tmsize_t c);
extern int _TIFFmemcmp(const void* p1, const void* p2, tmsize_t c);
extern void _TIFFfree(void* p);
+extern int _TIFFIfMultiplicationOverflow(tmsize_t op1, tmsize_t op2);
/*
** Stuff, related to tag handling and creating custom tags.
generated by cgit v1.2.3 (git 2.25.1) at 2024-05-17 22:06:45 +0000