diff options
-rw-r--r-- | core/fxcodec/codec/ccodec_tiffmodule.cpp | 4 | ||||
-rw-r--r-- | core/fxcrt/fx_basic_memmgr.cpp | 6 | ||||
-rw-r--r-- | core/fxcrt/fx_memory.h | 1 | ||||
-rw-r--r-- | third_party/libtiff/0022-upstream-patch-0012.patch | 29 | ||||
-rw-r--r-- | third_party/libtiff/README.pdfium | 1 | ||||
-rw-r--r-- | third_party/libtiff/tif_read.c | 6 | ||||
-rw-r--r-- | third_party/libtiff/tiffio.h | 1 |
7 files changed, 45 insertions, 3 deletions
diff --git a/core/fxcodec/codec/ccodec_tiffmodule.cpp b/core/fxcodec/codec/ccodec_tiffmodule.cpp index 295f0abe34..3c24c33286 100644 --- a/core/fxcodec/codec/ccodec_tiffmodule.cpp +++ b/core/fxcodec/codec/ccodec_tiffmodule.cpp @@ -62,6 +62,10 @@ class CCodec_TiffContext { TIFF* m_tif_ctx; }; +void* _TIFFcalloc(tmsize_t nmemb, tmsize_t siz) { + return FXMEM_DefaultCalloc(nmemb, siz); +} + void* _TIFFmalloc(tmsize_t size) { return FXMEM_DefaultAlloc(size, 0); } diff --git a/core/fxcrt/fx_basic_memmgr.cpp b/core/fxcrt/fx_basic_memmgr.cpp index f3aaa3678d..75bc2bc1f1 100644 --- a/core/fxcrt/fx_basic_memmgr.cpp +++ b/core/fxcrt/fx_basic_memmgr.cpp @@ -24,9 +24,15 @@ void FXMEM_InitalizePartitionAlloc() { void* FXMEM_DefaultAlloc(size_t byte_size, int flags) { return (void*)malloc(byte_size); } + +void* FXMEM_DefaultCalloc(size_t num_elems, size_t byte_size) { + return calloc(num_elems, byte_size); +} + void* FXMEM_DefaultRealloc(void* pointer, size_t new_size, int flags) { return realloc(pointer, new_size); } + void FXMEM_DefaultFree(void* pointer, int flags) { free(pointer); } diff --git a/core/fxcrt/fx_memory.h b/core/fxcrt/fx_memory.h index eb369d7d6c..684f2f2646 100644 --- a/core/fxcrt/fx_memory.h +++ b/core/fxcrt/fx_memory.h @@ -15,6 +15,7 @@ extern "C" { // For external C libraries to malloc through PDFium. These may return nullptr. void* FXMEM_DefaultAlloc(size_t byte_size, int flags); +void* FXMEM_DefaultCalloc(size_t num_elems, size_t byte_size); void* FXMEM_DefaultRealloc(void* pointer, size_t new_size, int flags); void FXMEM_DefaultFree(void* pointer, int flags); diff --git a/third_party/libtiff/0022-upstream-patch-0012.patch b/third_party/libtiff/0022-upstream-patch-0012.patch new file mode 100644 index 0000000000..ce9b5ebc91 --- /dev/null +++ b/third_party/libtiff/0022-upstream-patch-0012.patch @@ -0,0 +1,29 @@ +diff --git a/third_party/libtiff/tif_read.c b/third_party/libtiff/tif_read.c +index c25e7e79f..47686a473 100644 +--- a/third_party/libtiff/tif_read.c ++++ b/third_party/libtiff/tif_read.c +@@ -983,9 +983,9 @@ TIFFReadBufferSetup(TIFF* tif, void* bp, tmsize_t size) + "Invalid buffer size"); + return (0); + } +- tif->tif_rawdata = (uint8*) _TIFFmalloc(tif->tif_rawdatasize); +- if (tif->tif_rawdata) +- memset(tif->tif_rawdata, 0, tif->tif_rawdatasize); ++ /* Initialize to zero to avoid uninitialized buffers in case of */ ++ /* short reads (http://bugzilla.maptools.org/show_bug.cgi?id=2651) */ ++ tif->tif_rawdata = (uint8*) _TIFFcalloc(1, tif->tif_rawdatasize); + + tif->tif_flags |= TIFF_MYBUFFER; + } +diff --git a/third_party/libtiff/tiffio.h b/third_party/libtiff/tiffio.h +index dd6c9a429..7d0da761f 100644 +--- a/third_party/libtiff/tiffio.h ++++ b/third_party/libtiff/tiffio.h +@@ -293,6 +293,7 @@ extern TIFFCodec* TIFFGetConfiguredCODECs(void); + */ + + extern void* _TIFFmalloc(tmsize_t s); ++extern void* _TIFFcalloc(tmsize_t nmemb, tmsize_t siz); + extern void* _TIFFrealloc(void* p, tmsize_t s); + extern void _TIFFmemset(void* p, int v, tmsize_t c); + extern void _TIFFmemcpy(void* d, const void* s, tmsize_t c); diff --git a/third_party/libtiff/README.pdfium b/third_party/libtiff/README.pdfium index b11066fedd..be326b2746 100644 --- a/third_party/libtiff/README.pdfium +++ b/third_party/libtiff/README.pdfium @@ -26,3 +26,4 @@ Local Modifications: 0019-oom-TIFFReadDirEntryArray.patch: Try to avoid out-of-memory in tif_dirread.c. 0020-upstream-security-fixes.patch: patch our copy with several upstream security fixes. 0021-oom-TIFFFillStrip.patch: Try to avoid out-of-memory in tif_read.c +0022-upstream-patch-0012.patch: Use the upstream solution corresponding to patch 0012. diff --git a/third_party/libtiff/tif_read.c b/third_party/libtiff/tif_read.c index c25e7e79f0..47686a473a 100644 --- a/third_party/libtiff/tif_read.c +++ b/third_party/libtiff/tif_read.c @@ -983,9 +983,9 @@ TIFFReadBufferSetup(TIFF* tif, void* bp, tmsize_t size) "Invalid buffer size"); return (0); } - tif->tif_rawdata = (uint8*) _TIFFmalloc(tif->tif_rawdatasize); - if (tif->tif_rawdata) - memset(tif->tif_rawdata, 0, tif->tif_rawdatasize); + /* Initialize to zero to avoid uninitialized buffers in case of */ + /* short reads (http://bugzilla.maptools.org/show_bug.cgi?id=2651) */ + tif->tif_rawdata = (uint8*) _TIFFcalloc(1, tif->tif_rawdatasize); tif->tif_flags |= TIFF_MYBUFFER; } diff --git a/third_party/libtiff/tiffio.h b/third_party/libtiff/tiffio.h index dd6c9a4294..7d0da761fc 100644 --- a/third_party/libtiff/tiffio.h +++ b/third_party/libtiff/tiffio.h @@ -293,6 +293,7 @@ extern TIFFCodec* TIFFGetConfiguredCODECs(void); */ extern void* _TIFFmalloc(tmsize_t s); +extern void* _TIFFcalloc(tmsize_t nmemb, tmsize_t siz); extern void* _TIFFrealloc(void* p, tmsize_t s); extern void _TIFFmemset(void* p, int v, tmsize_t c); extern void _TIFFmemcpy(void* d, const void* s, tmsize_t c); |