diff options
| author | Nicolas Pena <npm@chromium.org> | 2017-04-18 17:13:56 -0400 |
|---|---|---|
| committer | Chromium commit bot <commit-bot@chromium.org> | 2017-04-18 22:04:19 +0000 |
| commit | ac07d340069e2f6e50d1e9aeae7140ce4d20a7de (patch) | |
| tree | c2734600f53f5821eec3ab1f3913b5db10f808fb /third_party/libtiff/tif_dirread.c | |
| parent | bf510b7c520bccbd2edf5bb3e2f91b125ebfd6d7 (diff) | |
| download | pdfium-ac07d340069e2f6e50d1e9aeae7140ce4d20a7de.tar.xz | |
Libtiff upstream security fixes
Upstream patches applied:
https://github.com/vadz/libtiff/commit/47f2fb61a3a64667bce1a8398a8fcb1b348ff122
https://github.com/vadz/libtiff/commit/0abd094b6e5079c4d8be733829240491cb230f3d
https://github.com/vadz/libtiff/commit/3144e57770c1e4d26520d8abee750f8ac8b75490
https://github.com/vadz/libtiff/commit/3cfd62d77c2a7e147a05bd678524c345fa9c2bb8
https://github.com/vadz/libtiff/commit/0a76a8c765c7b8327c59646284fa78c3c27e5490
https://github.com/vadz/libtiff/commit/66e7bd59520996740e4df5495a830b42fae48bc4
Bug: chromium:711638
Change-Id: I017bfa91f7682c190bd7f8dbe36c2c3d1ac68728
Reviewed-on: https://pdfium-review.googlesource.com/4313
Reviewed-by: Tom Sepez <tsepez@chromium.org>
Commit-Queue: Nicolás Peña <npm@chromium.org>
Diffstat (limited to 'third_party/libtiff/tif_dirread.c')
| -rw-r--r-- | third_party/libtiff/tif_dirread.c | 20 |
1 files changed, 17 insertions, 3 deletions
diff --git a/third_party/libtiff/tif_dirread.c b/third_party/libtiff/tif_dirread.c index 7dbcf6d86e..0926e16254 100644 --- a/third_party/libtiff/tif_dirread.c +++ b/third_party/libtiff/tif_dirread.c @@ -40,6 +40,7 @@ */ #include "tiffiop.h" +#include <float.h> #define IGNORE 0 /* tag placeholder used below */ #define FAILED_FII ((uint32) -1) @@ -2405,7 +2406,14 @@ static enum TIFFReadDirEntryErr TIFFReadDirEntryFloatArray(TIFF* tif, TIFFDirEnt ma=(double*)origdata; mb=data; for (n=0; n<count; n++) - *mb++=(float)(*ma++); + { + double val = *ma++; + if( val > FLT_MAX ) + val = FLT_MAX; + else if( val < -FLT_MAX ) + val = -FLT_MAX; + *mb++=(float)val; + } } break; } @@ -2871,7 +2879,10 @@ static enum TIFFReadDirEntryErr TIFFReadDirEntryCheckedRational(TIFF* tif, TIFFD m.l = direntry->tdir_offset.toff_long8; if (tif->tif_flags&TIFF_SWAB) TIFFSwabArrayOfLong(m.i,2); - if (m.i[0]==0) + /* Not completely sure what we should do when m.i[1]==0, but some */ + /* sanitizers do not like division by 0.0: */ + /* http://bugzilla.maptools.org/show_bug.cgi?id=2644 */ + if (m.i[0]==0 || m.i[1]==0) *value=0.0; else *value=(double)m.i[0]/(double)m.i[1]; @@ -2899,7 +2910,10 @@ static enum TIFFReadDirEntryErr TIFFReadDirEntryCheckedSrational(TIFF* tif, TIFF m.l=direntry->tdir_offset.toff_long8; if (tif->tif_flags&TIFF_SWAB) TIFFSwabArrayOfLong(m.i,2); - if ((int32)m.i[0]==0) + /* Not completely sure what we should do when m.i[1]==0, but some */ + /* sanitizers do not like division by 0.0: */ + /* http://bugzilla.maptools.org/show_bug.cgi?id=2644 */ + if ((int32)m.i[0]==0 || m.i[1]==0) *value=0.0; else *value=(double)((int32)m.i[0])/(double)m.i[1]; |