summaryrefslogtreecommitdiff
path: root/third_party/libtiff
diff options
context:
space:
mode:
Diffstat (limited to 'third_party/libtiff')
-rw-r--r--third_party/libtiff/0019-fix-invalid-reads-TIFFFetchNormalTag.patch28
-rw-r--r--third_party/libtiff/README.pdfium1
-rw-r--r--third_party/libtiff/tif_dirread.c10
3 files changed, 39 insertions, 0 deletions
diff --git a/third_party/libtiff/0019-fix-invalid-reads-TIFFFetchNormalTag.patch b/third_party/libtiff/0019-fix-invalid-reads-TIFFFetchNormalTag.patch
new file mode 100644
index 0000000000..9ebb7ef8db
--- /dev/null
+++ b/third_party/libtiff/0019-fix-invalid-reads-TIFFFetchNormalTag.patch
@@ -0,0 +1,28 @@
+diff --git a/third_party/libtiff/tif_dirread.c b/third_party/libtiff/tif_dirread.c
+index bc4102184..0e3f8ccd4 100644
+--- a/third_party/libtiff/tif_dirread.c
++++ b/third_party/libtiff/tif_dirread.c
+@@ -4983,6 +4983,11 @@ TIFFFetchNormalTag(TIFF* tif, TIFFDirEntry* dp, int recover)
+ if (err==TIFFReadDirEntryErrOk)
+ {
+ int m;
++ if( dp->tdir_count > 0 && data[dp->tdir_count-1] != '\0' )
++ {
++ TIFFWarningExt(tif->tif_clientdata,module,"ASCII value for tag \"%s\" does not end in null byte. Forcing it to be null",fip->field_name);
++ data[dp->tdir_count-1] = '\0';
++ }
+ m=TIFFSetField(tif,dp->tdir_tag,(uint16)(dp->tdir_count),data);
+ if (data!=0)
+ _TIFFfree(data);
+@@ -5155,6 +5160,11 @@ TIFFFetchNormalTag(TIFF* tif, TIFFDirEntry* dp, int recover)
+ if (err==TIFFReadDirEntryErrOk)
+ {
+ int m;
++ if( dp->tdir_count > 0 && data[dp->tdir_count-1] != '\0' )
++ {
++ TIFFWarningExt(tif->tif_clientdata,module,"ASCII value for tag \"%s\" does not end in null byte. Forcing it to be null",fip->field_name);
++ data[dp->tdir_count-1] = '\0';
++ }
+ m=TIFFSetField(tif,dp->tdir_tag,(uint32)(dp->tdir_count),data);
+ if (data!=0)
+ _TIFFfree(data);
diff --git a/third_party/libtiff/README.pdfium b/third_party/libtiff/README.pdfium
index 7057a58a87..6a78a1968b 100644
--- a/third_party/libtiff/README.pdfium
+++ b/third_party/libtiff/README.pdfium
@@ -28,3 +28,4 @@ Local Modifications:
0016-fix-leak-in-pixarlogsetupdecode.patch: Free sp->tbuf if setup fails
0017-safe_skews_in_gtTileContig.patch: return error if to/from skews overflow from int32.
0018-fix-leak-in-PredictorSetupDecode.patch: call tif->tif_cleanup if the setup fails.
+0019-fix-invalid-reads-TIFFFetchNormalTag.patch: upstream security fix in tif_dirread.
diff --git a/third_party/libtiff/tif_dirread.c b/third_party/libtiff/tif_dirread.c
index bc4102184c..0e3f8ccd48 100644
--- a/third_party/libtiff/tif_dirread.c
+++ b/third_party/libtiff/tif_dirread.c
@@ -4983,6 +4983,11 @@ TIFFFetchNormalTag(TIFF* tif, TIFFDirEntry* dp, int recover)
if (err==TIFFReadDirEntryErrOk)
{
int m;
+ if( dp->tdir_count > 0 && data[dp->tdir_count-1] != '\0' )
+ {
+ TIFFWarningExt(tif->tif_clientdata,module,"ASCII value for tag \"%s\" does not end in null byte. Forcing it to be null",fip->field_name);
+ data[dp->tdir_count-1] = '\0';
+ }
m=TIFFSetField(tif,dp->tdir_tag,(uint16)(dp->tdir_count),data);
if (data!=0)
_TIFFfree(data);
@@ -5155,6 +5160,11 @@ TIFFFetchNormalTag(TIFF* tif, TIFFDirEntry* dp, int recover)
if (err==TIFFReadDirEntryErrOk)
{
int m;
+ if( dp->tdir_count > 0 && data[dp->tdir_count-1] != '\0' )
+ {
+ TIFFWarningExt(tif->tif_clientdata,module,"ASCII value for tag \"%s\" does not end in null byte. Forcing it to be null",fip->field_name);
+ data[dp->tdir_count-1] = '\0';
+ }
m=TIFFSetField(tif,dp->tdir_tag,(uint32)(dp->tdir_count),data);
if (data!=0)
_TIFFfree(data);