diff options
author | Ryan Harrison <rharrison@chromium.org> | 2018-04-27 16:08:58 +0000 |
---|---|---|
committer | Chromium commit bot <commit-bot@chromium.org> | 2018-04-27 16:08:58 +0000 |
commit | b1b01de0285c77f16a72736bf6abeb9598743b0a (patch) | |
tree | 67d1e46245fb8d690cb6c890407b62f6275b49f3 /third_party/libtiff/tif_dirwrite.c | |
parent | 7f41d68152885d9b391fd9cc96d9754969b78369 (diff) | |
download | pdfium-b1b01de0285c77f16a72736bf6abeb9598743b0a.tar.xz |
Updated libtiff 4.0.8->4.0.9
Applied 0000-build-config.patch
Applied 0006-HeapBufferOverflow-ChopUpSingleUncompressedStrip.patch
Applied 0008-HeapBufferOverflow-ChopUpSingleUncompressedStrip.patch
Updated and applied 0017-safe_skews_in_gtTileContig.patch
Removed 0025-upstream-OOM-gtTileContig.patch, already applied
Removed 0026-upstream-null-dereference.patch, already applied
Applied 0027-build-config.patch
Updated and applied 0028-nstrips-OOM.patch
BUG=pdfium:1074
Change-Id: I32510327155213fd6256c5a67fa1be3a54cb975c
Reviewed-on: https://pdfium-review.googlesource.com/31550
Reviewed-by: Henrique Nakashima <hnakashima@chromium.org>
Commit-Queue: Ryan Harrison <rharrison@chromium.org>
Diffstat (limited to 'third_party/libtiff/tif_dirwrite.c')
-rw-r--r-- | third_party/libtiff/tif_dirwrite.c | 38 |
1 files changed, 31 insertions, 7 deletions
diff --git a/third_party/libtiff/tif_dirwrite.c b/third_party/libtiff/tif_dirwrite.c index f733968513..c68d6d21d6 100644 --- a/third_party/libtiff/tif_dirwrite.c +++ b/third_party/libtiff/tif_dirwrite.c @@ -1,4 +1,4 @@ -/* $Id: tif_dirwrite.c,v 1.85 2017-01-11 16:09:02 erouault Exp $ */ +/* $Id: tif_dirwrite.c,v 1.89 2017-08-23 13:33:42 erouault Exp $ */ /* * Copyright (c) 1988-1997 Sam Leffler @@ -821,7 +821,12 @@ TIFFWriteDirectorySec(TIFF* tif, int isimage, int imagedone, uint64* pdiroff) TIFFDirEntry* nb; for (na=0, nb=dir; ; na++, nb++) { - assert(na<ndir); + if( na == ndir ) + { + TIFFErrorExt(tif->tif_clientdata,module, + "Cannot find SubIFD tag"); + goto bad; + } if (nb->tdir_tag==TIFFTAG_SUBIFD) break; } @@ -1944,7 +1949,14 @@ TIFFWriteDirectoryTagSubifd(TIFF* tif, uint32* ndir, TIFFDirEntry* dir) for (p=0; p < tif->tif_dir.td_nsubifd; p++) { assert(pa != 0); - assert(*pa <= 0xFFFFFFFFUL); + + /* Could happen if an classicTIFF has a SubIFD of type LONG8 (which is illegal) */ + if( *pa > 0xFFFFFFFFUL) + { + TIFFErrorExt(tif->tif_clientdata,module,"Illegal value for SubIFD tag"); + _TIFFfree(o); + return(0); + } *pb++=(uint32)(*pa++); } n=TIFFWriteDirectoryTagCheckedIfdArray(tif,ndir,dir,TIFFTAG_SUBIFD,tif->tif_dir.td_nsubifd,o); @@ -2111,7 +2123,10 @@ TIFFWriteDirectoryTagCheckedLong8(TIFF* tif, uint32* ndir, TIFFDirEntry* dir, ui { uint64 m; assert(sizeof(uint64)==8); - assert(tif->tif_flags&TIFF_BIGTIFF); + if( !(tif->tif_flags&TIFF_BIGTIFF) ) { + TIFFErrorExt(tif->tif_clientdata,"TIFFWriteDirectoryTagCheckedLong8","LONG8 not allowed for ClassicTIFF"); + return(0); + } m=value; if (tif->tif_flags&TIFF_SWAB) TIFFSwabLong8(&m); @@ -2124,7 +2139,10 @@ TIFFWriteDirectoryTagCheckedLong8Array(TIFF* tif, uint32* ndir, TIFFDirEntry* di { assert(count<0x20000000); assert(sizeof(uint64)==8); - assert(tif->tif_flags&TIFF_BIGTIFF); + if( !(tif->tif_flags&TIFF_BIGTIFF) ) { + TIFFErrorExt(tif->tif_clientdata,"TIFFWriteDirectoryTagCheckedLong8Array","LONG8 not allowed for ClassicTIFF"); + return(0); + } if (tif->tif_flags&TIFF_SWAB) TIFFSwabArrayOfLong8(value,count); return(TIFFWriteDirectoryTagData(tif,ndir,dir,tag,TIFF_LONG8,count,count*8,value)); @@ -2136,7 +2154,10 @@ TIFFWriteDirectoryTagCheckedSlong8(TIFF* tif, uint32* ndir, TIFFDirEntry* dir, u { int64 m; assert(sizeof(int64)==8); - assert(tif->tif_flags&TIFF_BIGTIFF); + if( !(tif->tif_flags&TIFF_BIGTIFF) ) { + TIFFErrorExt(tif->tif_clientdata,"TIFFWriteDirectoryTagCheckedSlong8","SLONG8 not allowed for ClassicTIFF"); + return(0); + } m=value; if (tif->tif_flags&TIFF_SWAB) TIFFSwabLong8((uint64*)(&m)); @@ -2149,7 +2170,10 @@ TIFFWriteDirectoryTagCheckedSlong8Array(TIFF* tif, uint32* ndir, TIFFDirEntry* d { assert(count<0x20000000); assert(sizeof(int64)==8); - assert(tif->tif_flags&TIFF_BIGTIFF); + if( !(tif->tif_flags&TIFF_BIGTIFF) ) { + TIFFErrorExt(tif->tif_clientdata,"TIFFWriteDirectoryTagCheckedSlong8Array","SLONG8 not allowed for ClassicTIFF"); + return(0); + } if (tif->tif_flags&TIFF_SWAB) TIFFSwabArrayOfLong8((uint64*)value,count); return(TIFFWriteDirectoryTagData(tif,ndir,dir,tag,TIFF_SLONG8,count,count*8,value)); |