diff options
| author | stackexploit <stackexploit@gmail.com> | 2016-10-26 22:40:34 -0700 |
|---|---|---|
| committer | Commit bot <commit-bot@chromium.org> | 2016-10-26 22:40:34 -0700 |
| commit | 8b67b19d7e6dfb8984cc9c92ef59a81cb4edaa77 (patch) | |
| tree | bdcdc9bd6799833f362f4142436293665be16477 /third_party/libtiff/0009-HeapBufferOverflow-PixarLogDecode.patch | |
| parent | 9f7f7f8773410020fbea2be87917591cddd86aab (diff) | |
| download | pdfium-8b67b19d7e6dfb8984cc9c92ef59a81cb4edaa77.tar.xz | |
libtiff: Prevent a buffer overflow in function PixarLogDecode.
Fix potential buffer write overrun in PixarLogDecode() on corrupted/unexpected
images. The issue has been fixed in upstream (libtiff revision 1.44,
author: erouault, commitid: 2SqWSFG5a8Ewffcz, date: 2016-06-28 23:12:19 +0800).
This CL applies the official patch to tif_pixarlog.c.
BUG=chromium:654172
R=dsinclair@chromium.org, thestig@chromium.org
Review-Url: https://codereview.chromium.org/2453253003
Diffstat (limited to 'third_party/libtiff/0009-HeapBufferOverflow-PixarLogDecode.patch')
| -rw-r--r-- | third_party/libtiff/0009-HeapBufferOverflow-PixarLogDecode.patch | 33 |
1 files changed, 33 insertions, 0 deletions
diff --git a/third_party/libtiff/0009-HeapBufferOverflow-PixarLogDecode.patch b/third_party/libtiff/0009-HeapBufferOverflow-PixarLogDecode.patch new file mode 100644 index 0000000000..745da03d80 --- /dev/null +++ b/third_party/libtiff/0009-HeapBufferOverflow-PixarLogDecode.patch @@ -0,0 +1,33 @@ +diff --git a/third_party/libtiff/tif_pixarlog.c b/third_party/libtiff/tif_pixarlog.c +index b93b4c7..0674fa4 100644 +--- a/third_party/libtiff/tif_pixarlog.c ++++ b/third_party/libtiff/tif_pixarlog.c +@@ -457,6 +457,7 @@ horizontalAccumulate8abgr(uint16 *wp, int n, int stride, unsigned char *op, + typedef struct { + TIFFPredictorState predict; + z_stream stream; ++ tmsize_t tbuf_size; /* only set/used on reading for now */ + uint16 *tbuf; + uint16 stride; + int state; +@@ -692,6 +693,7 @@ PixarLogSetupDecode(TIFF* tif) + sp->tbuf = (uint16 *) _TIFFmalloc(tbuf_size); + if (sp->tbuf == NULL) + return (0); ++ sp->tbuf_size = tbuf_size; + if (sp->user_datafmt == PIXARLOGDATAFMT_UNKNOWN) + sp->user_datafmt = PixarLogGuessDataFmt(td); + if (sp->user_datafmt == PIXARLOGDATAFMT_UNKNOWN) { +@@ -781,6 +783,12 @@ PixarLogDecode(TIFF* tif, uint8* op, tmsize_t occ, uint16 s) + TIFFErrorExt(tif->tif_clientdata, module, "ZLib cannot deal with buffers this size"); + return (0); + } ++ /* Check that we will not fill more than what was allocated */ ++ if (sp->stream.avail_out > sp->tbuf_size) ++ { ++ TIFFErrorExt(tif->tif_clientdata, module, "sp->stream.avail_out > sp->tbuf_size"); ++ return (0); ++ } + do { + int state = inflate(&sp->stream, Z_PARTIAL_FLUSH); + if (state == Z_STREAM_END) { |