diff options
| author | Nicolas Pena <npm@chromium.org> | 2017-05-15 14:57:02 -0400 |
|---|---|---|
| committer | Chromium commit bot <commit-bot@chromium.org> | 2017-05-15 19:10:54 +0000 |
| commit | c4722a7a3b3274fb066c2aac4eb3717e648b3004 (patch) | |
| tree | 96225b63556040c47f8d388187a19b675f83074d | |
| parent | f5676902418f4914bacbe32ccf8f7ff562518554 (diff) | |
| download | pdfium-c4722a7a3b3274fb066c2aac4eb3717e648b3004.tar.xz | |
Libtiff: upstream fix for heap buffer overflow
Upstream patch:
https://github.com/vadz/libtiff/commit/5a4eceed8d2f28d05f49add9ce647684d59d461a
Bug: chromium:722071
Change-Id: Idef412edbeb3255375ab18c68721dbaf7c601119
Reviewed-on: https://pdfium-review.googlesource.com/5511
Commit-Queue: dsinclair <dsinclair@chromium.org>
Reviewed-by: dsinclair <dsinclair@chromium.org>
| -rw-r--r-- | third_party/libtiff/0024-upstream-PackBitsDecode-fix.patch | 17 | ||||
| -rw-r--r-- | third_party/libtiff/README.pdfium | 1 | ||||
| -rw-r--r-- | third_party/libtiff/tif_packbits.c | 6 |
3 files changed, 24 insertions, 0 deletions
diff --git a/third_party/libtiff/0024-upstream-PackBitsDecode-fix.patch b/third_party/libtiff/0024-upstream-PackBitsDecode-fix.patch new file mode 100644 index 0000000000..eaae79746d --- /dev/null +++ b/third_party/libtiff/0024-upstream-PackBitsDecode-fix.patch @@ -0,0 +1,17 @@ +diff --git a/third_party/libtiff/tif_packbits.c b/third_party/libtiff/tif_packbits.c +index d2a0165de..92185e7f7 100644 +--- a/third_party/libtiff/tif_packbits.c ++++ b/third_party/libtiff/tif_packbits.c +@@ -244,6 +244,12 @@ PackBitsDecode(TIFF* tif, uint8* op, tmsize_t occ, uint16 s) + (unsigned long) ((tmsize_t)n - occ)); + n = (long)occ; + } ++ if( cc == 0 ) ++ { ++ TIFFWarningExt(tif->tif_clientdata, module, ++ "Terminating PackBitsDecode due to lack of data."); ++ break; ++ } + occ -= n; + b = *bp++; + cc--; diff --git a/third_party/libtiff/README.pdfium b/third_party/libtiff/README.pdfium index 7c329114a3..d3c9c65815 100644 --- a/third_party/libtiff/README.pdfium +++ b/third_party/libtiff/README.pdfium @@ -28,3 +28,4 @@ Local Modifications: 0021-oom-TIFFFillStrip.patch: Try to avoid out-of-memory in tif_read.c 0022-upstream-patch-0012.patch: Use the upstream solution corresponding to patch 0012. 0023-upstream-security-fixes.patch: more upstream patches related to security issues. +0024-upstream-PackBitsDecode-fix.patch: fix Heap-buffer-overflow in tif_packbits.c. diff --git a/third_party/libtiff/tif_packbits.c b/third_party/libtiff/tif_packbits.c index d2a0165de9..92185e7f74 100644 --- a/third_party/libtiff/tif_packbits.c +++ b/third_party/libtiff/tif_packbits.c @@ -244,6 +244,12 @@ PackBitsDecode(TIFF* tif, uint8* op, tmsize_t occ, uint16 s) (unsigned long) ((tmsize_t)n - occ)); n = (long)occ; } + if( cc == 0 ) + { + TIFFWarningExt(tif->tif_clientdata, module, + "Terminating PackBitsDecode due to lack of data."); + break; + } occ -= n; b = *bp++; cc--; |