summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--third_party/libtiff/0024-upstream-PackBitsDecode-fix.patch17
-rw-r--r--third_party/libtiff/README.pdfium1
-rw-r--r--third_party/libtiff/tif_packbits.c6
3 files changed, 24 insertions, 0 deletions
diff --git a/third_party/libtiff/0024-upstream-PackBitsDecode-fix.patch b/third_party/libtiff/0024-upstream-PackBitsDecode-fix.patch
new file mode 100644
index 0000000000..eaae79746d
--- /dev/null
+++ b/third_party/libtiff/0024-upstream-PackBitsDecode-fix.patch
@@ -0,0 +1,17 @@
+diff --git a/third_party/libtiff/tif_packbits.c b/third_party/libtiff/tif_packbits.c
+index d2a0165de..92185e7f7 100644
+--- a/third_party/libtiff/tif_packbits.c
++++ b/third_party/libtiff/tif_packbits.c
+@@ -244,6 +244,12 @@ PackBitsDecode(TIFF* tif, uint8* op, tmsize_t occ, uint16 s)
+ (unsigned long) ((tmsize_t)n - occ));
+ n = (long)occ;
+ }
++ if( cc == 0 )
++ {
++ TIFFWarningExt(tif->tif_clientdata, module,
++ "Terminating PackBitsDecode due to lack of data.");
++ break;
++ }
+ occ -= n;
+ b = *bp++;
+ cc--;
diff --git a/third_party/libtiff/README.pdfium b/third_party/libtiff/README.pdfium
index 7c329114a3..d3c9c65815 100644
--- a/third_party/libtiff/README.pdfium
+++ b/third_party/libtiff/README.pdfium
@@ -28,3 +28,4 @@ Local Modifications:
0021-oom-TIFFFillStrip.patch: Try to avoid out-of-memory in tif_read.c
0022-upstream-patch-0012.patch: Use the upstream solution corresponding to patch 0012.
0023-upstream-security-fixes.patch: more upstream patches related to security issues.
+0024-upstream-PackBitsDecode-fix.patch: fix Heap-buffer-overflow in tif_packbits.c.
diff --git a/third_party/libtiff/tif_packbits.c b/third_party/libtiff/tif_packbits.c
index d2a0165de9..92185e7f74 100644
--- a/third_party/libtiff/tif_packbits.c
+++ b/third_party/libtiff/tif_packbits.c
@@ -244,6 +244,12 @@ PackBitsDecode(TIFF* tif, uint8* op, tmsize_t occ, uint16 s)
(unsigned long) ((tmsize_t)n - occ));
n = (long)occ;
}
+ if( cc == 0 )
+ {
+ TIFFWarningExt(tif->tif_clientdata, module,
+ "Terminating PackBitsDecode due to lack of data.");
+ break;
+ }
occ -= n;
b = *bp++;
cc--;