diff options
-rw-r--r-- | third_party/libtiff/0024-upstream-PackBitsDecode-fix.patch | 17 | ||||
-rw-r--r-- | third_party/libtiff/README.pdfium | 1 | ||||
-rw-r--r-- | third_party/libtiff/tif_packbits.c | 6 |
3 files changed, 24 insertions, 0 deletions
diff --git a/third_party/libtiff/0024-upstream-PackBitsDecode-fix.patch b/third_party/libtiff/0024-upstream-PackBitsDecode-fix.patch new file mode 100644 index 0000000000..eaae79746d --- /dev/null +++ b/third_party/libtiff/0024-upstream-PackBitsDecode-fix.patch @@ -0,0 +1,17 @@ +diff --git a/third_party/libtiff/tif_packbits.c b/third_party/libtiff/tif_packbits.c +index d2a0165de..92185e7f7 100644 +--- a/third_party/libtiff/tif_packbits.c ++++ b/third_party/libtiff/tif_packbits.c +@@ -244,6 +244,12 @@ PackBitsDecode(TIFF* tif, uint8* op, tmsize_t occ, uint16 s) + (unsigned long) ((tmsize_t)n - occ)); + n = (long)occ; + } ++ if( cc == 0 ) ++ { ++ TIFFWarningExt(tif->tif_clientdata, module, ++ "Terminating PackBitsDecode due to lack of data."); ++ break; ++ } + occ -= n; + b = *bp++; + cc--; diff --git a/third_party/libtiff/README.pdfium b/third_party/libtiff/README.pdfium index 7c329114a3..d3c9c65815 100644 --- a/third_party/libtiff/README.pdfium +++ b/third_party/libtiff/README.pdfium @@ -28,3 +28,4 @@ Local Modifications: 0021-oom-TIFFFillStrip.patch: Try to avoid out-of-memory in tif_read.c 0022-upstream-patch-0012.patch: Use the upstream solution corresponding to patch 0012. 0023-upstream-security-fixes.patch: more upstream patches related to security issues. +0024-upstream-PackBitsDecode-fix.patch: fix Heap-buffer-overflow in tif_packbits.c. diff --git a/third_party/libtiff/tif_packbits.c b/third_party/libtiff/tif_packbits.c index d2a0165de9..92185e7f74 100644 --- a/third_party/libtiff/tif_packbits.c +++ b/third_party/libtiff/tif_packbits.c @@ -244,6 +244,12 @@ PackBitsDecode(TIFF* tif, uint8* op, tmsize_t occ, uint16 s) (unsigned long) ((tmsize_t)n - occ)); n = (long)occ; } + if( cc == 0 ) + { + TIFFWarningExt(tif->tif_clientdata, module, + "Terminating PackBitsDecode due to lack of data."); + break; + } occ -= n; b = *bp++; cc--; |