summaryrefslogtreecommitdiff
path: root/third_party/libtiff
diff options
context:
space:
mode:
authorstackexploit <stackexploit@gmail.com>2016-10-26 22:40:34 -0700
committerCommit bot <commit-bot@chromium.org>2016-10-26 22:40:34 -0700
commit8b67b19d7e6dfb8984cc9c92ef59a81cb4edaa77 (patch)
treebdcdc9bd6799833f362f4142436293665be16477 /third_party/libtiff
parent9f7f7f8773410020fbea2be87917591cddd86aab (diff)
downloadpdfium-8b67b19d7e6dfb8984cc9c92ef59a81cb4edaa77.tar.xz
libtiff: Prevent a buffer overflow in function PixarLogDecode.
Fix potential buffer write overrun in PixarLogDecode() on corrupted/unexpected images. The issue has been fixed in upstream (libtiff revision 1.44, author: erouault, commitid: 2SqWSFG5a8Ewffcz, date: 2016-06-28 23:12:19 +0800). This CL applies the official patch to tif_pixarlog.c. BUG=chromium:654172 R=dsinclair@chromium.org, thestig@chromium.org Review-Url: https://codereview.chromium.org/2453253003
Diffstat (limited to 'third_party/libtiff')
-rw-r--r--third_party/libtiff/0009-HeapBufferOverflow-PixarLogDecode.patch33
-rw-r--r--third_party/libtiff/README.pdfium1
-rw-r--r--third_party/libtiff/tif_pixarlog.c8
3 files changed, 42 insertions, 0 deletions
diff --git a/third_party/libtiff/0009-HeapBufferOverflow-PixarLogDecode.patch b/third_party/libtiff/0009-HeapBufferOverflow-PixarLogDecode.patch
new file mode 100644
index 0000000000..745da03d80
--- /dev/null
+++ b/third_party/libtiff/0009-HeapBufferOverflow-PixarLogDecode.patch
@@ -0,0 +1,33 @@
+diff --git a/third_party/libtiff/tif_pixarlog.c b/third_party/libtiff/tif_pixarlog.c
+index b93b4c7..0674fa4 100644
+--- a/third_party/libtiff/tif_pixarlog.c
++++ b/third_party/libtiff/tif_pixarlog.c
+@@ -457,6 +457,7 @@ horizontalAccumulate8abgr(uint16 *wp, int n, int stride, unsigned char *op,
+ typedef struct {
+ TIFFPredictorState predict;
+ z_stream stream;
++ tmsize_t tbuf_size; /* only set/used on reading for now */
+ uint16 *tbuf;
+ uint16 stride;
+ int state;
+@@ -692,6 +693,7 @@ PixarLogSetupDecode(TIFF* tif)
+ sp->tbuf = (uint16 *) _TIFFmalloc(tbuf_size);
+ if (sp->tbuf == NULL)
+ return (0);
++ sp->tbuf_size = tbuf_size;
+ if (sp->user_datafmt == PIXARLOGDATAFMT_UNKNOWN)
+ sp->user_datafmt = PixarLogGuessDataFmt(td);
+ if (sp->user_datafmt == PIXARLOGDATAFMT_UNKNOWN) {
+@@ -781,6 +783,12 @@ PixarLogDecode(TIFF* tif, uint8* op, tmsize_t occ, uint16 s)
+ TIFFErrorExt(tif->tif_clientdata, module, "ZLib cannot deal with buffers this size");
+ return (0);
+ }
++ /* Check that we will not fill more than what was allocated */
++ if (sp->stream.avail_out > sp->tbuf_size)
++ {
++ TIFFErrorExt(tif->tif_clientdata, module, "sp->stream.avail_out > sp->tbuf_size");
++ return (0);
++ }
+ do {
+ int state = inflate(&sp->stream, Z_PARTIAL_FLUSH);
+ if (state == Z_STREAM_END) {
diff --git a/third_party/libtiff/README.pdfium b/third_party/libtiff/README.pdfium
index 66049c4e98..e0b4192e75 100644
--- a/third_party/libtiff/README.pdfium
+++ b/third_party/libtiff/README.pdfium
@@ -18,3 +18,4 @@ Local Modifications:
0006-HeapBufferOverflow-ChopUpSingleUncompressedStrip.patch: Fix a heap buffer overflow
0007-uninitialized-value.patch: Fix potentially uninitialized dircount value
0008-HeapBufferOverflow-ChopUpSingleUncompressedStrip.patch: Fix a heap buffer overflow
+0009-HeapBufferOverflow-PixarLogDecode.patch: Fix a heap buffer overflow
diff --git a/third_party/libtiff/tif_pixarlog.c b/third_party/libtiff/tif_pixarlog.c
index b93b4c77f1..0674fa48d6 100644
--- a/third_party/libtiff/tif_pixarlog.c
+++ b/third_party/libtiff/tif_pixarlog.c
@@ -457,6 +457,7 @@ horizontalAccumulate8abgr(uint16 *wp, int n, int stride, unsigned char *op,
typedef struct {
TIFFPredictorState predict;
z_stream stream;
+ tmsize_t tbuf_size; /* only set/used on reading for now */
uint16 *tbuf;
uint16 stride;
int state;
@@ -692,6 +693,7 @@ PixarLogSetupDecode(TIFF* tif)
sp->tbuf = (uint16 *) _TIFFmalloc(tbuf_size);
if (sp->tbuf == NULL)
return (0);
+ sp->tbuf_size = tbuf_size;
if (sp->user_datafmt == PIXARLOGDATAFMT_UNKNOWN)
sp->user_datafmt = PixarLogGuessDataFmt(td);
if (sp->user_datafmt == PIXARLOGDATAFMT_UNKNOWN) {
@@ -781,6 +783,12 @@ PixarLogDecode(TIFF* tif, uint8* op, tmsize_t occ, uint16 s)
TIFFErrorExt(tif->tif_clientdata, module, "ZLib cannot deal with buffers this size");
return (0);
}
+ /* Check that we will not fill more than what was allocated */
+ if (sp->stream.avail_out > sp->tbuf_size)
+ {
+ TIFFErrorExt(tif->tif_clientdata, module, "sp->stream.avail_out > sp->tbuf_size");
+ return (0);
+ }
do {
int state = inflate(&sp->stream, Z_PARTIAL_FLUSH);
if (state == Z_STREAM_END) {