diff options
| author | Nicolas Pena <npm@chromium.org> | 2017-03-30 14:32:05 -0400 |
|---|---|---|
| committer | Chromium commit bot <commit-bot@chromium.org> | 2017-03-30 18:54:58 +0000 |
| commit | 1c5e98c6fdd664eda5e6d04835e55125a2117970 (patch) | |
| tree | b302ad49bc724217c327213b8acdd20ed9229e2a /third_party/libtiff/tif_dirread.c | |
| parent | bccf573b72c76597f6b1f1e99e8db4e1cc759843 (diff) | |
| download | pdfium-1c5e98c6fdd664eda5e6d04835e55125a2117970.tar.xz | |
Libtiff security upstream patches
CL list:
https://github.com/vadz/libtiff/commit/438274f938e046d33cb0e1230b41da32ffe223e1
https://github.com/vadz/libtiff/commit/43bc256d8ae44b92d2734a3c5bc73957a4d7c1ec
https://github.com/vadz/libtiff/commit/1044b43637fa7f70fb19b93593777b78bd20da86
https://github.com/vadz/libtiff/commit/9a72a69e035ee70ff5c41541c8c61cd97990d018
https://github.com/vadz/libtiff/commit/b4b41925115059b49f97432bda0613411df2f686
Bug: chromium:706349
Change-Id: I782156e7486919a62e25eeb95cb8699f1b2c5ee1
Reviewed-on: https://pdfium-review.googlesource.com/3374
Reviewed-by: dsinclair <dsinclair@chromium.org>
Reviewed-by: Lei Zhang <thestig@chromium.org>
Commit-Queue: Nicolás Peña <npm@chromium.org>
Diffstat (limited to 'third_party/libtiff/tif_dirread.c')
| -rw-r--r-- | third_party/libtiff/tif_dirread.c | 22 |
1 files changed, 10 insertions, 12 deletions
diff --git a/third_party/libtiff/tif_dirread.c b/third_party/libtiff/tif_dirread.c index d50b39a809..7dbcf6d86e 100644 --- a/third_party/libtiff/tif_dirread.c +++ b/third_party/libtiff/tif_dirread.c @@ -5503,8 +5503,7 @@ ChopUpSingleUncompressedStrip(TIFF* tif) uint64 rowblockbytes; uint64 stripbytes; uint32 strip; - uint64 nstrips64; - uint32 nstrips32; + uint32 nstrips; uint32 rowsperstrip; uint64* newcounts; uint64* newoffsets; @@ -5535,18 +5534,17 @@ ChopUpSingleUncompressedStrip(TIFF* tif) return; /* - * never increase the number of strips in an image + * never increase the number of rows per strip */ if (rowsperstrip >= td->td_rowsperstrip) return; - nstrips64 = TIFFhowmany_64(bytecount, stripbytes); - if ((nstrips64==0)||(nstrips64>0xFFFFFFFF)) /* something is wonky, do nothing. */ - return; - nstrips32 = (uint32)nstrips64; + nstrips = TIFFhowmany_32(td->td_imagelength, rowsperstrip); + if( nstrips == 0 ) + return; - newcounts = (uint64*) _TIFFCheckMalloc(tif, nstrips32, sizeof (uint64), + newcounts = (uint64*) _TIFFCheckMalloc(tif, nstrips, sizeof (uint64), "for chopped \"StripByteCounts\" array"); - newoffsets = (uint64*) _TIFFCheckMalloc(tif, nstrips32, sizeof (uint64), + newoffsets = (uint64*) _TIFFCheckMalloc(tif, nstrips, sizeof (uint64), "for chopped \"StripOffsets\" array"); if (newcounts == NULL || newoffsets == NULL) { /* @@ -5563,18 +5561,18 @@ ChopUpSingleUncompressedStrip(TIFF* tif) * Fill the strip information arrays with new bytecounts and offsets * that reflect the broken-up format. */ - for (strip = 0; strip < nstrips32; strip++) { + for (strip = 0; strip < nstrips; strip++) { if (stripbytes > bytecount) stripbytes = bytecount; newcounts[strip] = stripbytes; - newoffsets[strip] = offset; + newoffsets[strip] = stripbytes ? offset : 0; offset += stripbytes; bytecount -= stripbytes; } /* * Replace old single strip info with multi-strip info. */ - td->td_stripsperimage = td->td_nstrips = nstrips32; + td->td_stripsperimage = td->td_nstrips = nstrips; TIFFSetField(tif, TIFFTAG_ROWSPERSTRIP, rowsperstrip); _TIFFfree(td->td_stripbytecount); |