diff options
author | Nicolas Pena <npm@chromium.org> | 2017-07-20 16:57:05 -0400 |
---|---|---|
committer | Chromium commit bot <commit-bot@chromium.org> | 2017-07-20 22:28:00 +0000 |
commit | d60609d3a12fb0e9925166b027c3f57884b77c5d (patch) | |
tree | f441804c10471addbfa1d9ca616bd43cf9dd42b0 /third_party | |
parent | e03f8b1c9ccb8923c97f43a45b4a2dbc8c60a786 (diff) | |
download | pdfium-d60609d3a12fb0e9925166b027c3f57884b77c5d.tar.xz |
LibTIFF: remove a couple of patches
This CL removes two patches that correspond to non-security CF bugs.
There are now only a few patches left: two patches to prevent overflow
in _TIFFCheckRealloc (overflows here are dangerous as they can cause
heap-buffer-overflows), one patch to prevent integer overflows which CF
reported as a security issue, and one recent upstream patch (which would
be removed in the next LibTIFF upgrade).
Next steps:
* Figure out how to reproduce the security issue from _TIFFCheckRealloc
(samples from the bugs seem to just timeout on asan) and report bug
upstream once it's confirmed that a change is needed.
* Ditto integer overflow, except it was already reported upstream, so
ping upstream once reproduction without the patch is possible again.
Change-Id: I6f9096a6e69698d5ded6a59c4aca5e07b351e716
Reviewed-on: https://pdfium-review.googlesource.com/8532
Reviewed-by: dsinclair <dsinclair@chromium.org>
Commit-Queue: Nicolás Peña <npm@chromium.org>
Diffstat (limited to 'third_party')
-rw-r--r-- | third_party/libtiff/0005-Leak-TIFFFetchStripThing.patch | 13 | ||||
-rw-r--r-- | third_party/libtiff/0007-uninitialized-value.patch | 13 | ||||
-rw-r--r-- | third_party/libtiff/README.pdfium | 2 | ||||
-rw-r--r-- | third_party/libtiff/tif_dirread.c | 4 |
4 files changed, 1 insertions, 31 deletions
diff --git a/third_party/libtiff/0005-Leak-TIFFFetchStripThing.patch b/third_party/libtiff/0005-Leak-TIFFFetchStripThing.patch deleted file mode 100644 index 0f9b16873f..0000000000 --- a/third_party/libtiff/0005-Leak-TIFFFetchStripThing.patch +++ /dev/null @@ -1,13 +0,0 @@ -diff --git a/third_party/libtiff/tif_dirread.c b/third_party/libtiff/tif_dirread.c -index a0dc68b..5ef3264 100644 ---- a/third_party/libtiff/tif_dirread.c -+++ b/third_party/libtiff/tif_dirread.c -@@ -5372,6 +5372,8 @@ TIFFFetchStripThing(TIFF* tif, TIFFDirEntry* dir, uint32 nstrips, uint64** lpp) - static const char module[] = "TIFFFetchStripThing"; - enum TIFFReadDirEntryErr err; - uint64* data; -+ _TIFFfree(*lpp); -+ *lpp = 0; - err=TIFFReadDirEntryLong8Array(tif,dir,&data); - if (err!=TIFFReadDirEntryErrOk) - { diff --git a/third_party/libtiff/0007-uninitialized-value.patch b/third_party/libtiff/0007-uninitialized-value.patch deleted file mode 100644 index f6e9806181..0000000000 --- a/third_party/libtiff/0007-uninitialized-value.patch +++ /dev/null @@ -1,13 +0,0 @@ -diff --git a/third_party/libtiff/tif_dirread.c b/third_party/libtiff/tif_dirread.c -index 5ef3264..bc41021 100644 ---- a/third_party/libtiff/tif_dirread.c -+++ b/third_party/libtiff/tif_dirread.c -@@ -4443,7 +4443,7 @@ TIFFFetchDirectory(TIFF* tif, uint64 diroff, TIFFDirEntry** pdir, - static const char module[] = "TIFFFetchDirectory"; - - void* origdir; -- uint16 dircount16; -+ uint16 dircount16 = 0; - uint32 dirsize; - TIFFDirEntry* dir; - uint8* ma; diff --git a/third_party/libtiff/README.pdfium b/third_party/libtiff/README.pdfium index 285a628fdd..d8812077c1 100644 --- a/third_party/libtiff/README.pdfium +++ b/third_party/libtiff/README.pdfium @@ -11,9 +11,7 @@ Local Modifications: 0000-build-config.patch: Local build configuration changes. 0001-build-config.patch: Enable HAVE_SEARCH_H in tiffconf.h for VS 2015 -0005-Leak-TIFFFetchStripThing.patch: Fix a memory leak 0006-HeapBufferOverflow-ChopUpSingleUncompressedStrip.patch: Fix a heap buffer overflow -0007-uninitialized-value.patch: Fix potentially uninitialized dircount value 0008-HeapBufferOverflow-ChopUpSingleUncompressedStrip.patch: Fix a heap buffer overflow 0017-safe_skews_in_gtTileContig.patch: return error if to/from skews overflow from int32. 0025-upstream-OOM-gtTileContig: allocates the decoded buffer only after a first successful TIFFFillStrip. diff --git a/third_party/libtiff/tif_dirread.c b/third_party/libtiff/tif_dirread.c index 385ed12db0..772ebaf7d4 100644 --- a/third_party/libtiff/tif_dirread.c +++ b/third_party/libtiff/tif_dirread.c @@ -4491,7 +4491,7 @@ TIFFFetchDirectory(TIFF* tif, uint64 diroff, TIFFDirEntry** pdir, static const char module[] = "TIFFFetchDirectory"; void* origdir; - uint16 dircount16 = 0; + uint16 dircount16; uint32 dirsize; TIFFDirEntry* dir; uint8* ma; @@ -5429,8 +5429,6 @@ TIFFFetchStripThing(TIFF* tif, TIFFDirEntry* dir, uint32 nstrips, uint64** lpp) static const char module[] = "TIFFFetchStripThing"; enum TIFFReadDirEntryErr err; uint64* data; - _TIFFfree(*lpp); - *lpp = 0; err=TIFFReadDirEntryLong8Array(tif,dir,&data); if (err!=TIFFReadDirEntryErrOk) { |