summaryrefslogtreecommitdiff
path: root/third_party/libtiff/0021-oom-TIFFFillStrip.patch
diff options
context:
space:
mode:
authorNicolas Pena <npm@chromium.org>2017-04-05 15:50:53 -0400
committerChromium commit bot <commit-bot@chromium.org>2017-04-05 20:29:31 +0000
commit3198c681df875f7f268f03040b64343741d4bda1 (patch)
tree6bd488f8109f7868104286fc659e41c9490914c9 /third_party/libtiff/0021-oom-TIFFFillStrip.patch
parentc057abce3508b0cd31b631b31bc41d2ecf5c37b0 (diff)
downloadpdfium-3198c681df875f7f268f03040b64343741d4bda1.tar.xz
Libtiff: Prevent OOM in TIFFFillStrip
In TIFFFillStrip, calls to TIFFReadBufferSetup may allocate large amounts of memory. In this CL we do sanity checks on the claimed size of the raw strip data before that happens, to prevent out-of-memory. Bug: chromium:707431 Change-Id: I4e7c9a8630fad11d4f68a3ceccd71ffa511f4293 Reviewed-on: https://pdfium-review.googlesource.com/3811 Commit-Queue: Nicolás Peña <npm@chromium.org> Reviewed-by: Lei Zhang <thestig@chromium.org> Reviewed-by: dsinclair <dsinclair@chromium.org>
Diffstat (limited to 'third_party/libtiff/0021-oom-TIFFFillStrip.patch')
-rw-r--r--third_party/libtiff/0021-oom-TIFFFillStrip.patch18
1 files changed, 18 insertions, 0 deletions
diff --git a/third_party/libtiff/0021-oom-TIFFFillStrip.patch b/third_party/libtiff/0021-oom-TIFFFillStrip.patch
new file mode 100644
index 0000000000..a64dc5ed13
--- /dev/null
+++ b/third_party/libtiff/0021-oom-TIFFFillStrip.patch
@@ -0,0 +1,18 @@
+diff --git a/third_party/libtiff/tif_read.c b/third_party/libtiff/tif_read.c
+index 1ba100e54..c25e7e79f 100644
+--- a/third_party/libtiff/tif_read.c
++++ b/third_party/libtiff/tif_read.c
+@@ -616,6 +616,13 @@ TIFFFillStrip(TIFF* tif, uint32 strip)
+ TIFFErrorExt(tif->tif_clientdata,module,"Integer overflow");
+ return(0);
+ }
++ const tmsize_t size=isMapped(tif)? tif->tif_size : (tmsize_t)TIFFGetFileSize(tif);
++ if (bytecountm > size) {
++ TIFFErrorExt(tif->tif_clientdata, module,
++ "Requested read strip size %lu is too large",
++ (unsigned long) strip);
++ return (0);
++ }
+ if (bytecountm > tif->tif_rawdatasize) {
+ tif->tif_curstrip = NOSTRIP;
+ if ((tif->tif_flags & TIFF_MYBUFFER) == 0) {