diff options
author | Lei Zhang <thestig@chromium.org> | 2017-11-07 00:28:58 +0000 |
---|---|---|
committer | Chromium commit bot <commit-bot@chromium.org> | 2017-11-07 00:28:58 +0000 |
commit | 064a3e108b2a2aefde6e0be5f7246b02af6f8aab (patch) | |
tree | 703058c10ab340aa628f5197061219c0ed190a8e /third_party | |
parent | 6c3665776eb6276be2b2314cd4242e7c21610ea2 (diff) | |
download | pdfium-064a3e108b2a2aefde6e0be5f7246b02af6f8aab.tar.xz |
Prevent an OOM error in libtiff.
BUG=chromium:781582
Change-Id: I17711956884d1902cbd86f2163155b256402ecda
Reviewed-on: https://pdfium-review.googlesource.com/17891
Reviewed-by: Chris Palmer <palmer@chromium.org>
Commit-Queue: Lei Zhang <thestig@chromium.org>
Diffstat (limited to 'third_party')
-rw-r--r-- | third_party/libtiff/0028-nstrips-OOM.patch | 26 | ||||
-rw-r--r-- | third_party/libtiff/README.pdfium | 1 | ||||
-rw-r--r-- | third_party/libtiff/tif_dirread.c | 8 |
3 files changed, 35 insertions, 0 deletions
diff --git a/third_party/libtiff/0028-nstrips-OOM.patch b/third_party/libtiff/0028-nstrips-OOM.patch new file mode 100644 index 0000000000..a6db66ee88 --- /dev/null +++ b/third_party/libtiff/0028-nstrips-OOM.patch @@ -0,0 +1,26 @@ +diff --git a/third_party/libtiff/tif_dirread.c b/third_party/libtiff/tif_dirread.c +index 772ebaf7d..ab938eac9 100644 +--- a/third_party/libtiff/tif_dirread.c ++++ b/third_party/libtiff/tif_dirread.c +@@ -41,6 +41,7 @@ + + #include "tiffiop.h" + #include <float.h> ++#include <limits.h> + + #define IGNORE 0 /* tag placeholder used below */ + #define FAILED_FII ((uint32) -1) +@@ -3638,6 +3639,13 @@ TIFFReadDirectory(TIFF* tif) + isTiled(tif) ? "tiles" : "strips"); + goto bad; + } ++ if (tif->tif_dir.td_nstrips > INT_MAX) { ++ TIFFErrorExt(tif->tif_clientdata, module, ++ "Cannot handle %u number of %s", ++ tif->tif_dir.td_nstrips, ++ isTiled(tif) ? "tiles" : "strips"); ++ goto bad; ++ } + tif->tif_dir.td_stripsperimage = tif->tif_dir.td_nstrips; + if (tif->tif_dir.td_planarconfig == PLANARCONFIG_SEPARATE) + tif->tif_dir.td_stripsperimage /= tif->tif_dir.td_samplesperpixel; diff --git a/third_party/libtiff/README.pdfium b/third_party/libtiff/README.pdfium index 39a8b5f025..a370a49ce7 100644 --- a/third_party/libtiff/README.pdfium +++ b/third_party/libtiff/README.pdfium @@ -17,3 +17,4 @@ Local Modifications: 0025-upstream-OOM-gtTileContig: allocates the decoded buffer only after a first successful TIFFFillStrip. 0026-upstream-null-dereference: properly evit when stoponerr is set and avoid null dereferences. 0027-build-config.patch: #define variables so their value can be used by #if. +0028-nstrips-OOM.patch: return error for excess number of tiles/strips. diff --git a/third_party/libtiff/tif_dirread.c b/third_party/libtiff/tif_dirread.c index 772ebaf7d4..ab938eac9d 100644 --- a/third_party/libtiff/tif_dirread.c +++ b/third_party/libtiff/tif_dirread.c @@ -41,6 +41,7 @@ #include "tiffiop.h" #include <float.h> +#include <limits.h> #define IGNORE 0 /* tag placeholder used below */ #define FAILED_FII ((uint32) -1) @@ -3638,6 +3639,13 @@ TIFFReadDirectory(TIFF* tif) isTiled(tif) ? "tiles" : "strips"); goto bad; } + if (tif->tif_dir.td_nstrips > INT_MAX) { + TIFFErrorExt(tif->tif_clientdata, module, + "Cannot handle %u number of %s", + tif->tif_dir.td_nstrips, + isTiled(tif) ? "tiles" : "strips"); + goto bad; + } tif->tif_dir.td_stripsperimage = tif->tif_dir.td_nstrips; if (tif->tif_dir.td_planarconfig == PLANARCONFIG_SEPARATE) tif->tif_dir.td_stripsperimage /= tif->tif_dir.td_samplesperpixel; |