summaryrefslogtreecommitdiff
path: root/third_party/libtiff/0008-HeapBufferOverflow-ChopUpSingleUncompressedStrip.patch
diff options
context:
space:
mode:
authorstackexploit <stackexploit@gmail.com>2016-10-10 10:58:25 -0700
committerCommit bot <commit-bot@chromium.org>2016-10-10 10:58:25 -0700
commit24ba0a2ef48d7be37f02056d20bb8c625f641939 (patch)
tree903bb9dd7c91743057d8b2ead4a1ba7196ca0e02 /third_party/libtiff/0008-HeapBufferOverflow-ChopUpSingleUncompressedStrip.patch
parent3a0a808ff546b5633a2384f4ed156b7ced605c90 (diff)
downloadpdfium-24ba0a2ef48d7be37f02056d20bb8c625f641939.tar.xz
libtiff: Prevent a buffer overflow in function ChopUpSingleUncompressedStrip.
The patch (https://codereview.chromium.org/2284063002) for Issue 618267 was insufficient. The integer overflow still could be triggered and could lead to heap buffer overflow. This CL strengthens integer overflow check in function _TIFFCheckRealloc. BUG=chromium:654169 R=ochang@chromium.org, tsepez@chromium.org, dsinclair@chromium.org Review-Url: https://codereview.chromium.org/2405693002
Diffstat (limited to 'third_party/libtiff/0008-HeapBufferOverflow-ChopUpSingleUncompressedStrip.patch')
-rw-r--r--third_party/libtiff/0008-HeapBufferOverflow-ChopUpSingleUncompressedStrip.patch13
1 files changed, 13 insertions, 0 deletions
diff --git a/third_party/libtiff/0008-HeapBufferOverflow-ChopUpSingleUncompressedStrip.patch b/third_party/libtiff/0008-HeapBufferOverflow-ChopUpSingleUncompressedStrip.patch
new file mode 100644
index 0000000000..3d494d87ec
--- /dev/null
+++ b/third_party/libtiff/0008-HeapBufferOverflow-ChopUpSingleUncompressedStrip.patch
@@ -0,0 +1,13 @@
+diff --git a/third_party/libtiff/tif_aux.c b/third_party/libtiff/tif_aux.c
+index 3ce3680..bc4ea01 100644
+--- a/third_party/libtiff/tif_aux.c
++++ b/third_party/libtiff/tif_aux.c
+@@ -69,7 +69,7 @@ _TIFFCheckRealloc(TIFF* tif, void* buffer,
+ /*
+ * XXX: Check for integer overflow.
+ */
+- if (nmemb && elem_size && !_TIFFIfMultiplicationOverflow(nmemb, elem_size))
++ if (nmemb > 0 && elem_size > 0 && !_TIFFIfMultiplicationOverflow(nmemb, elem_size))
+ cp = _TIFFrealloc(buffer, bytes);
+
+ if (cp == NULL) {