summaryrefslogtreecommitdiff
path: root/core
diff options
context:
space:
mode:
authorNicolas Pena <npm@chromium.org>2017-01-11 16:39:20 -0500
committerChromium commit bot <commit-bot@chromium.org>2017-01-11 21:57:03 +0000
commit5e3121beff936df1b0af3749447eeda1666d5d76 (patch)
tree90fdf7f63b5880c4f0e5f12c38e05be65467f2e3 /core
parent96f482c9cd3c99425fd3422251903b1218253c66 (diff)
downloadpdfium-5e3121beff936df1b0af3749447eeda1666d5d76.tar.xz
Make tiff_read return actual length read
The return value is used to determine whether TIFFReadFile fails. If we return just the length, libtiff will try reading uninitilized values afterwards, on corrupted files. BUG=679230, 670928 Change-Id: I579adc9d8a00e8cafab45dbdb728f1cb702da051 Reviewed-on: https://pdfium-review.googlesource.com/2172 Commit-Queue: Nicolás Peña <npm@chromium.org> Reviewed-by: Tom Sepez <tsepez@chromium.org>
Diffstat (limited to 'core')
-rw-r--r--core/fxcodec/codec/fx_codec_tiff.cpp6
1 files changed, 5 insertions, 1 deletions
diff --git a/core/fxcodec/codec/fx_codec_tiff.cpp b/core/fxcodec/codec/fx_codec_tiff.cpp
index cf38d71b37..7818a34ec6 100644
--- a/core/fxcodec/codec/fx_codec_tiff.cpp
+++ b/core/fxcodec/codec/fx_codec_tiff.cpp
@@ -100,10 +100,14 @@ tsize_t tiff_read(thandle_t context, tdata_t buf, tsize_t length) {
if (!increment.IsValid())
return 0;
- if (!pTiffContext->io_in()->ReadBlock(buf, pTiffContext->offset(), length))
+ FX_FILESIZE offset = pTiffContext->offset();
+ if (!pTiffContext->io_in()->ReadBlock(buf, offset, length))
return 0;
pTiffContext->set_offset(increment.ValueOrDie());
+ if (offset + length > pTiffContext->io_in()->GetSize())
+ return pTiffContext->io_in()->GetSize() - offset;
+
return length;
}