summaryrefslogtreecommitdiff
path: root/third_party/libtiff/tif_next.c
diff options
context:
space:
mode:
authorthestig <thestig@chromium.org>2016-06-09 15:33:10 -0700
committerCommit bot <commit-bot@chromium.org>2016-06-09 15:33:10 -0700
commit342de0bef86b4a7be5599a02a6ff4a6e07328b11 (patch)
treeaceb0573d37fc769afb8ee039e8ad364ee01c1ba /third_party/libtiff/tif_next.c
parentd71bae02d83c4b9594336efdedc714bcd5c18ab7 (diff)
downloadpdfium-342de0bef86b4a7be5599a02a6ff4a6e07328b11.tar.xz
Apply security fixes to libtiff that are not in 4.0.6.
BUG=618164 Review-Url: https://codereview.chromium.org/2054993002
Diffstat (limited to 'third_party/libtiff/tif_next.c')
-rw-r--r--third_party/libtiff/tif_next.c10
1 files changed, 8 insertions, 2 deletions
diff --git a/third_party/libtiff/tif_next.c b/third_party/libtiff/tif_next.c
index 17e031111a..b2076a0b01 100644
--- a/third_party/libtiff/tif_next.c
+++ b/third_party/libtiff/tif_next.c
@@ -37,7 +37,7 @@
case 0: op[0] = (unsigned char) ((v) << 6); break; \
case 1: op[0] |= (v) << 4; break; \
case 2: op[0] |= (v) << 2; break; \
- case 3: *op++ |= (v); break; \
+ case 3: *op++ |= (v); op_offset++; break; \
} \
}
@@ -106,6 +106,7 @@ NeXTDecode(TIFF* tif, uint8* buf, tmsize_t occ, uint16 s)
uint32 imagewidth = tif->tif_dir.td_imagewidth;
if( isTiled(tif) )
imagewidth = tif->tif_dir.td_tilewidth;
+ tmsize_t op_offset = 0;
/*
* The scanline is composed of a sequence of constant
@@ -122,10 +123,15 @@ NeXTDecode(TIFF* tif, uint8* buf, tmsize_t occ, uint16 s)
* bounds, potentially resulting in a security
* issue.
*/
- while (n-- > 0 && npixels < imagewidth)
+ while (n-- > 0 && npixels < imagewidth && op_offset < scanline)
SETPIXEL(op, grey);
if (npixels >= imagewidth)
break;
+ if (op_offset >= scanline ) {
+ TIFFErrorExt(tif->tif_clientdata, module, "Invalid data for scanline %ld",
+ (long) tif->tif_row);
+ return (0);
+ }
if (cc == 0)
goto bad;
n = *bp++, cc--;