diff options
author | Nicolas Pena <npm@chromium.org> | 2017-02-08 17:40:32 -0500 |
---|---|---|
committer | Chromium commit bot <commit-bot@chromium.org> | 2017-02-09 17:47:58 +0000 |
commit | 67e4faaf8be0aebc67ebfb96d33933d9f9119d20 (patch) | |
tree | 948304b6df845fc23040ddc50611e7f74cc44ea8 /third_party/libtiff | |
parent | 9d5fd1de29538ab04c23ec9d11d22683e5c53e43 (diff) | |
download | pdfium-67e4faaf8be0aebc67ebfb96d33933d9f9119d20.tar.xz |
Libtiff upstream fix for large td_bitspersample
Commit:
https://github.com/vadz/libtiff/commit/b5065f39ebc8b125aaa790f9003988c0d675f814
BUG=681305
Change-Id: I4e6c166f892bdac83b45e5518302bfd9cbcbd332
Reviewed-on: https://pdfium-review.googlesource.com/2571
Reviewed-by: Tom Sepez <tsepez@chromium.org>
Commit-Queue: Nicolás Peña <npm@chromium.org>
Diffstat (limited to 'third_party/libtiff')
-rw-r--r-- | third_party/libtiff/0020-unreasonable-td-bitspersample.patch | 22 | ||||
-rw-r--r-- | third_party/libtiff/README.pdfium | 1 | ||||
-rw-r--r-- | third_party/libtiff/tif_dirread.c | 11 |
3 files changed, 34 insertions, 0 deletions
diff --git a/third_party/libtiff/0020-unreasonable-td-bitspersample.patch b/third_party/libtiff/0020-unreasonable-td-bitspersample.patch new file mode 100644 index 0000000000..1ad5e34e3c --- /dev/null +++ b/third_party/libtiff/0020-unreasonable-td-bitspersample.patch @@ -0,0 +1,22 @@ +diff --git a/third_party/libtiff/tif_dirread.c b/third_party/libtiff/tif_dirread.c +index 0e3f8ccd4..e0403aef3 100644 +--- a/third_party/libtiff/tif_dirread.c ++++ b/third_party/libtiff/tif_dirread.c +@@ -3754,6 +3754,17 @@ TIFFReadDirectory(TIFF* tif) + fip ? fip->field_name : "unknown tagname"); + continue; + } ++ /* ColorMap or TransferFunction for high bit */ ++ /* depths do not make much sense and could be */ ++ /* used as a denial of service vector */ ++ if (tif->tif_dir.td_bitspersample > 24) ++ { ++ TIFFWarningExt(tif->tif_clientdata,module, ++ "Ignoring %s because BitsPerSample=%d>24", ++ fip ? fip->field_name : "unknown tagname", ++ tif->tif_dir.td_bitspersample); ++ continue; ++ } + countpersample=(1L<<tif->tif_dir.td_bitspersample); + if ((dp->tdir_tag==TIFFTAG_TRANSFERFUNCTION)&&(dp->tdir_count==(uint64)countpersample)) + { diff --git a/third_party/libtiff/README.pdfium b/third_party/libtiff/README.pdfium index 6a78a1968b..219b3a73b0 100644 --- a/third_party/libtiff/README.pdfium +++ b/third_party/libtiff/README.pdfium @@ -29,3 +29,4 @@ Local Modifications: 0017-safe_skews_in_gtTileContig.patch: return error if to/from skews overflow from int32. 0018-fix-leak-in-PredictorSetupDecode.patch: call tif->tif_cleanup if the setup fails. 0019-fix-invalid-reads-TIFFFetchNormalTag.patch: upstream security fix in tif_dirread. +0020-unreasonable-td-bitspersample.patch: upstream patch ignoring large td_bitspersample. diff --git a/third_party/libtiff/tif_dirread.c b/third_party/libtiff/tif_dirread.c index 0e3f8ccd48..e0403aef31 100644 --- a/third_party/libtiff/tif_dirread.c +++ b/third_party/libtiff/tif_dirread.c @@ -3754,6 +3754,17 @@ TIFFReadDirectory(TIFF* tif) fip ? fip->field_name : "unknown tagname"); continue; } + /* ColorMap or TransferFunction for high bit */ + /* depths do not make much sense and could be */ + /* used as a denial of service vector */ + if (tif->tif_dir.td_bitspersample > 24) + { + TIFFWarningExt(tif->tif_clientdata,module, + "Ignoring %s because BitsPerSample=%d>24", + fip ? fip->field_name : "unknown tagname", + tif->tif_dir.td_bitspersample); + continue; + } countpersample=(1L<<tif->tif_dir.td_bitspersample); if ((dp->tdir_tag==TIFFTAG_TRANSFERFUNCTION)&&(dp->tdir_count==(uint64)countpersample)) { |