Libtiff upstream: _TIFFcalloc addition

Upstream commit:
https://github.com/vadz/libtiff/commit/d60332057b9575ada4f264489582b13e30137be1

Bug: chromium:711638
Change-Id: I46de1a00f9bb8d5de8df64ec78a9d62dcb4352ed
Reviewed-on: https://pdfium-review.googlesource.com/4310
Reviewed-by: Tom Sepez <tsepez@chromium.org>
Commit-Queue: Nicolás Peña <npm@chromium.org>

7 files changed, 45 insertions, 3 deletions

diff --git a/core/fxcodec/codec/ccodec_tiffmodule.cpp b/core/fxcodec/codec/ccodec_tiffmodule.cpp
index 295f0abe34..3c24c33286 100644
--- a/core/fxcodec/codec/ccodec_tiffmodule.cpp
+++ b/core/fxcodec/codec/ccodec_tiffmodule.cpp
@@ -62,6 +62,10 @@ class CCodec_TiffContext {
   TIFF* m_tif_ctx;
 };
 
+void* _TIFFcalloc(tmsize_t nmemb, tmsize_t siz) {
+  return FXMEM_DefaultCalloc(nmemb, siz);
+}
+
 void* _TIFFmalloc(tmsize_t size) {
   return FXMEM_DefaultAlloc(size, 0);
 }
diff --git a/core/fxcrt/fx_basic_memmgr.cpp b/core/fxcrt/fx_basic_memmgr.cpp
index f3aaa3678d..75bc2bc1f1 100644
--- a/core/fxcrt/fx_basic_memmgr.cpp
+++ b/core/fxcrt/fx_basic_memmgr.cpp
@@ -24,9 +24,15 @@ void FXMEM_InitalizePartitionAlloc() {
 void* FXMEM_DefaultAlloc(size_t byte_size, int flags) {
   return (void*)malloc(byte_size);
 }
+
+void* FXMEM_DefaultCalloc(size_t num_elems, size_t byte_size) {
+  return calloc(num_elems, byte_size);
+}
+
 void* FXMEM_DefaultRealloc(void* pointer, size_t new_size, int flags) {
   return realloc(pointer, new_size);
 }
+
 void FXMEM_DefaultFree(void* pointer, int flags) {
   free(pointer);
 }
diff --git a/core/fxcrt/fx_memory.h b/core/fxcrt/fx_memory.h
index eb369d7d6c..684f2f2646 100644
--- a/core/fxcrt/fx_memory.h
+++ b/core/fxcrt/fx_memory.h
@@ -15,6 +15,7 @@ extern "C" {
 
 // For external C libraries to malloc through PDFium. These may return nullptr.
 void* FXMEM_DefaultAlloc(size_t byte_size, int flags);
+void* FXMEM_DefaultCalloc(size_t num_elems, size_t byte_size);
 void* FXMEM_DefaultRealloc(void* pointer, size_t new_size, int flags);
 void FXMEM_DefaultFree(void* pointer, int flags);
 
diff --git a/third_party/libtiff/0022-upstream-patch-0012.patch b/third_party/libtiff/0022-upstream-patch-0012.patch
new file mode 100644
index 0000000000..ce9b5ebc91
--- /dev/null
+++ b/third_party/libtiff/0022-upstream-patch-0012.patch
@@ -0,0 +1,29 @@
+diff --git a/third_party/libtiff/tif_read.c b/third_party/libtiff/tif_read.c
+index c25e7e79f..47686a473 100644
+--- a/third_party/libtiff/tif_read.c
++++ b/third_party/libtiff/tif_read.c
+@@ -983,9 +983,9 @@ TIFFReadBufferSetup(TIFF* tif, void* bp, tmsize_t size)
+                                 "Invalid buffer size");
+                    return (0);
+                }
+-               tif->tif_rawdata = (uint8*) _TIFFmalloc(tif->tif_rawdatasize);
+-               if (tif->tif_rawdata)
+-                       memset(tif->tif_rawdata, 0, tif->tif_rawdatasize);
++               /* Initialize to zero to avoid uninitialized buffers in case of */
++                /* short reads (http://bugzilla.maptools.org/show_bug.cgi?id=2651) */
++               tif->tif_rawdata = (uint8*) _TIFFcalloc(1, tif->tif_rawdatasize);
+ 
+                tif->tif_flags |= TIFF_MYBUFFER;
+        }
+diff --git a/third_party/libtiff/tiffio.h b/third_party/libtiff/tiffio.h
+index dd6c9a429..7d0da761f 100644
+--- a/third_party/libtiff/tiffio.h
++++ b/third_party/libtiff/tiffio.h
+@@ -293,6 +293,7 @@ extern TIFFCodec* TIFFGetConfiguredCODECs(void);
+  */
+ 
+ extern void* _TIFFmalloc(tmsize_t s);
++extern void* _TIFFcalloc(tmsize_t nmemb, tmsize_t siz);
+ extern void* _TIFFrealloc(void* p, tmsize_t s);
+ extern void _TIFFmemset(void* p, int v, tmsize_t c);
+ extern void _TIFFmemcpy(void* d, const void* s, tmsize_t c);
diff --git a/third_party/libtiff/README.pdfium b/third_party/libtiff/README.pdfium
index b11066fedd..be326b2746 100644
--- a/third_party/libtiff/README.pdfium
+++ b/third_party/libtiff/README.pdfium
@@ -26,3 +26,4 @@ Local Modifications:
 0019-oom-TIFFReadDirEntryArray.patch: Try to avoid out-of-memory in tif_dirread.c.
 0020-upstream-security-fixes.patch: patch our copy with several upstream security fixes.
 0021-oom-TIFFFillStrip.patch: Try to avoid out-of-memory in tif_read.c
+0022-upstream-patch-0012.patch: Use the upstream solution corresponding to patch 0012.
diff --git a/third_party/libtiff/tif_read.c b/third_party/libtiff/tif_read.c
index c25e7e79f0..47686a473a 100644
--- a/third_party/libtiff/tif_read.c
+++ b/third_party/libtiff/tif_read.c
@@ -983,9 +983,9 @@ TIFFReadBufferSetup(TIFF* tif, void* bp, tmsize_t size)
 				 "Invalid buffer size");
 		    return (0);
 		}
-		tif->tif_rawdata = (uint8*) _TIFFmalloc(tif->tif_rawdatasize);
-		if (tif->tif_rawdata)
-			memset(tif->tif_rawdata, 0, tif->tif_rawdatasize);
+		/* Initialize to zero to avoid uninitialized buffers in case of */
+                /* short reads (http://bugzilla.maptools.org/show_bug.cgi?id=2651) */
+		tif->tif_rawdata = (uint8*) _TIFFcalloc(1, tif->tif_rawdatasize);
 
 		tif->tif_flags |= TIFF_MYBUFFER;
 	}
diff --git a/third_party/libtiff/tiffio.h b/third_party/libtiff/tiffio.h
index dd6c9a4294..7d0da761fc 100644
--- a/third_party/libtiff/tiffio.h
+++ b/third_party/libtiff/tiffio.h
@@ -293,6 +293,7 @@ extern TIFFCodec* TIFFGetConfiguredCODECs(void);
  */
 
 extern void* _TIFFmalloc(tmsize_t s);
+extern void* _TIFFcalloc(tmsize_t nmemb, tmsize_t siz);
 extern void* _TIFFrealloc(void* p, tmsize_t s);
 extern void _TIFFmemset(void* p, int v, tmsize_t c);
 extern void _TIFFmemcpy(void* d, const void* s, tmsize_t c);