Libtiff: Prevent OOM in TIFFFillStrip

In TIFFFillStrip, calls to TIFFReadBufferSetup may allocate large amounts of
memory. In this CL we do sanity checks on the claimed size of the raw strip
data before that happens, to prevent out-of-memory.

Bug: chromium:707431
Change-Id: I4e7c9a8630fad11d4f68a3ceccd71ffa511f4293
Reviewed-on: https://pdfium-review.googlesource.com/3811
Commit-Queue: Nicolás Peña <npm@chromium.org>
Reviewed-by: Lei Zhang <thestig@chromium.org>
Reviewed-by: dsinclair <dsinclair@chromium.org>

1 files changed, 7 insertions, 0 deletions

diff --git a/third_party/libtiff/tif_read.c b/third_party/libtiff/tif_read.c
index 1ba100e54c..c25e7e79f0 100644
--- a/third_party/libtiff/tif_read.c
+++ b/third_party/libtiff/tif_read.c
@@ -616,6 +616,13 @@ TIFFFillStrip(TIFF* tif, uint32 strip)
 				TIFFErrorExt(tif->tif_clientdata,module,"Integer overflow");
 				return(0);
 			}
+			const tmsize_t size=isMapped(tif)? tif->tif_size : (tmsize_t)TIFFGetFileSize(tif);
+			if (bytecountm > size) {
+				TIFFErrorExt(tif->tif_clientdata, module,
+					"Requested read strip size %lu is too large",
+					(unsigned long) strip);
+				return (0);
+			}
 			if (bytecountm > tif->tif_rawdatasize) {
 				tif->tif_curstrip = NOSTRIP;
 				if ((tif->tif_flags & TIFF_MYBUFFER) == 0) {