diff options
author | Nicolas Pena <npm@chromium.org> | 2017-01-11 16:39:20 -0500 |
---|---|---|
committer | Chromium commit bot <commit-bot@chromium.org> | 2017-01-11 21:57:03 +0000 |
commit | 5e3121beff936df1b0af3749447eeda1666d5d76 (patch) | |
tree | 90fdf7f63b5880c4f0e5f12c38e05be65467f2e3 /core/fxcodec/codec | |
parent | 96f482c9cd3c99425fd3422251903b1218253c66 (diff) | |
download | pdfium-5e3121beff936df1b0af3749447eeda1666d5d76.tar.xz |
Make tiff_read return actual length read
The return value is used to determine whether TIFFReadFile fails. If we
return just the length, libtiff will try reading uninitilized values
afterwards, on corrupted files.
BUG=679230, 670928
Change-Id: I579adc9d8a00e8cafab45dbdb728f1cb702da051
Reviewed-on: https://pdfium-review.googlesource.com/2172
Commit-Queue: Nicolás Peña <npm@chromium.org>
Reviewed-by: Tom Sepez <tsepez@chromium.org>
Diffstat (limited to 'core/fxcodec/codec')
-rw-r--r-- | core/fxcodec/codec/fx_codec_tiff.cpp | 6 |
1 files changed, 5 insertions, 1 deletions
diff --git a/core/fxcodec/codec/fx_codec_tiff.cpp b/core/fxcodec/codec/fx_codec_tiff.cpp index cf38d71b37..7818a34ec6 100644 --- a/core/fxcodec/codec/fx_codec_tiff.cpp +++ b/core/fxcodec/codec/fx_codec_tiff.cpp @@ -100,10 +100,14 @@ tsize_t tiff_read(thandle_t context, tdata_t buf, tsize_t length) { if (!increment.IsValid()) return 0; - if (!pTiffContext->io_in()->ReadBlock(buf, pTiffContext->offset(), length)) + FX_FILESIZE offset = pTiffContext->offset(); + if (!pTiffContext->io_in()->ReadBlock(buf, offset, length)) return 0; pTiffContext->set_offset(increment.ValueOrDie()); + if (offset + length > pTiffContext->io_in()->GetSize()) + return pTiffContext->io_in()->GetSize() - offset; + return length; } |