summaryrefslogtreecommitdiff
path: root/third_party/libtiff
diff options
context:
space:
mode:
authorNicolas Pena <npm@chromium.org>2017-05-15 14:57:02 -0400
committerChromium commit bot <commit-bot@chromium.org>2017-05-15 19:10:54 +0000
commitc4722a7a3b3274fb066c2aac4eb3717e648b3004 (patch)
tree96225b63556040c47f8d388187a19b675f83074d /third_party/libtiff
parentf5676902418f4914bacbe32ccf8f7ff562518554 (diff)
downloadpdfium-c4722a7a3b3274fb066c2aac4eb3717e648b3004.tar.xz
Libtiff: upstream fix for heap buffer overflow
Upstream patch: https://github.com/vadz/libtiff/commit/5a4eceed8d2f28d05f49add9ce647684d59d461a Bug: chromium:722071 Change-Id: Idef412edbeb3255375ab18c68721dbaf7c601119 Reviewed-on: https://pdfium-review.googlesource.com/5511 Commit-Queue: dsinclair <dsinclair@chromium.org> Reviewed-by: dsinclair <dsinclair@chromium.org>
Diffstat (limited to 'third_party/libtiff')
-rw-r--r--third_party/libtiff/0024-upstream-PackBitsDecode-fix.patch17
-rw-r--r--third_party/libtiff/README.pdfium1
-rw-r--r--third_party/libtiff/tif_packbits.c6
3 files changed, 24 insertions, 0 deletions
diff --git a/third_party/libtiff/0024-upstream-PackBitsDecode-fix.patch b/third_party/libtiff/0024-upstream-PackBitsDecode-fix.patch
new file mode 100644
index 0000000000..eaae79746d
--- /dev/null
+++ b/third_party/libtiff/0024-upstream-PackBitsDecode-fix.patch
@@ -0,0 +1,17 @@
+diff --git a/third_party/libtiff/tif_packbits.c b/third_party/libtiff/tif_packbits.c
+index d2a0165de..92185e7f7 100644
+--- a/third_party/libtiff/tif_packbits.c
++++ b/third_party/libtiff/tif_packbits.c
+@@ -244,6 +244,12 @@ PackBitsDecode(TIFF* tif, uint8* op, tmsize_t occ, uint16 s)
+ (unsigned long) ((tmsize_t)n - occ));
+ n = (long)occ;
+ }
++ if( cc == 0 )
++ {
++ TIFFWarningExt(tif->tif_clientdata, module,
++ "Terminating PackBitsDecode due to lack of data.");
++ break;
++ }
+ occ -= n;
+ b = *bp++;
+ cc--;
diff --git a/third_party/libtiff/README.pdfium b/third_party/libtiff/README.pdfium
index 7c329114a3..d3c9c65815 100644
--- a/third_party/libtiff/README.pdfium
+++ b/third_party/libtiff/README.pdfium
@@ -28,3 +28,4 @@ Local Modifications:
0021-oom-TIFFFillStrip.patch: Try to avoid out-of-memory in tif_read.c
0022-upstream-patch-0012.patch: Use the upstream solution corresponding to patch 0012.
0023-upstream-security-fixes.patch: more upstream patches related to security issues.
+0024-upstream-PackBitsDecode-fix.patch: fix Heap-buffer-overflow in tif_packbits.c.
diff --git a/third_party/libtiff/tif_packbits.c b/third_party/libtiff/tif_packbits.c
index d2a0165de9..92185e7f74 100644
--- a/third_party/libtiff/tif_packbits.c
+++ b/third_party/libtiff/tif_packbits.c
@@ -244,6 +244,12 @@ PackBitsDecode(TIFF* tif, uint8* op, tmsize_t occ, uint16 s)
(unsigned long) ((tmsize_t)n - occ));
n = (long)occ;
}
+ if( cc == 0 )
+ {
+ TIFFWarningExt(tif->tif_clientdata, module,
+ "Terminating PackBitsDecode due to lack of data.");
+ break;
+ }
occ -= n;
b = *bp++;
cc--;