3 files changed, 26 insertions, 0 deletions

diff --git a/third_party/libtiff/0021-oom-TIFFFillStrip.patch b/third_party/libtiff/0021-oom-TIFFFillStrip.patch
new file mode 100644
index 0000000000..a64dc5ed13
--- /dev/null
+++ b/third_party/libtiff/0021-oom-TIFFFillStrip.patch
@@ -0,0 +1,18 @@
+diff --git a/third_party/libtiff/tif_read.c b/third_party/libtiff/tif_read.c
+index 1ba100e54..c25e7e79f 100644
+--- a/third_party/libtiff/tif_read.c
++++ b/third_party/libtiff/tif_read.c
+@@ -616,6 +616,13 @@ TIFFFillStrip(TIFF* tif, uint32 strip)
+                                TIFFErrorExt(tif->tif_clientdata,module,"Integer overflow");
+                                return(0);
+                        }
++                       const tmsize_t size=isMapped(tif)? tif->tif_size : (tmsize_t)TIFFGetFileSize(tif);
++                       if (bytecountm > size) {
++                               TIFFErrorExt(tif->tif_clientdata, module,
++                                       "Requested read strip size %lu is too large",
++                                       (unsigned long) strip);
++                               return (0);
++                       }
+                        if (bytecountm > tif->tif_rawdatasize) {
+                                tif->tif_curstrip = NOSTRIP;
+                                if ((tif->tif_flags & TIFF_MYBUFFER) == 0) {
diff --git a/third_party/libtiff/README.pdfium b/third_party/libtiff/README.pdfium
index 55a314630a..b11066fedd 100644
--- a/third_party/libtiff/README.pdfium
+++ b/third_party/libtiff/README.pdfium
@@ -25,3 +25,4 @@ Local Modifications:
 0018-fix-leak-in-PredictorSetupDecode.patch: call tif->tif_cleanup if the setup fails.
 0019-oom-TIFFReadDirEntryArray.patch: Try to avoid out-of-memory in tif_dirread.c.
 0020-upstream-security-fixes.patch: patch our copy with several upstream security fixes.
+0021-oom-TIFFFillStrip.patch: Try to avoid out-of-memory in tif_read.c
diff --git a/third_party/libtiff/tif_read.c b/third_party/libtiff/tif_read.c
index 1ba100e54c..c25e7e79f0 100644
--- a/third_party/libtiff/tif_read.c
+++ b/third_party/libtiff/tif_read.c
@@ -616,6 +616,13 @@ TIFFFillStrip(TIFF* tif, uint32 strip)
 				TIFFErrorExt(tif->tif_clientdata,module,"Integer overflow");
 				return(0);
 			}
+			const tmsize_t size=isMapped(tif)? tif->tif_size : (tmsize_t)TIFFGetFileSize(tif);
+			if (bytecountm > size) {
+				TIFFErrorExt(tif->tif_clientdata, module,
+					"Requested read strip size %lu is too large",
+					(unsigned long) strip);
+				return (0);
+			}
 			if (bytecountm > tif->tif_rawdatasize) {
 				tif->tif_curstrip = NOSTRIP;
 				if ((tif->tif_flags & TIFF_MYBUFFER) == 0) {