summaryrefslogtreecommitdiff
path: root/third_party/libtiff
diff options
context:
space:
mode:
Diffstat (limited to 'third_party/libtiff')
-rw-r--r--third_party/libtiff/0008-HeapBufferOverflow-ChopUpSingleUncompressedStrip.patch13
-rw-r--r--third_party/libtiff/README.pdfium1
-rw-r--r--third_party/libtiff/tif_aux.c2
3 files changed, 15 insertions, 1 deletions
diff --git a/third_party/libtiff/0008-HeapBufferOverflow-ChopUpSingleUncompressedStrip.patch b/third_party/libtiff/0008-HeapBufferOverflow-ChopUpSingleUncompressedStrip.patch
new file mode 100644
index 0000000000..3d494d87ec
--- /dev/null
+++ b/third_party/libtiff/0008-HeapBufferOverflow-ChopUpSingleUncompressedStrip.patch
@@ -0,0 +1,13 @@
+diff --git a/third_party/libtiff/tif_aux.c b/third_party/libtiff/tif_aux.c
+index 3ce3680..bc4ea01 100644
+--- a/third_party/libtiff/tif_aux.c
++++ b/third_party/libtiff/tif_aux.c
+@@ -69,7 +69,7 @@ _TIFFCheckRealloc(TIFF* tif, void* buffer,
+ /*
+ * XXX: Check for integer overflow.
+ */
+- if (nmemb && elem_size && !_TIFFIfMultiplicationOverflow(nmemb, elem_size))
++ if (nmemb > 0 && elem_size > 0 && !_TIFFIfMultiplicationOverflow(nmemb, elem_size))
+ cp = _TIFFrealloc(buffer, bytes);
+
+ if (cp == NULL) {
diff --git a/third_party/libtiff/README.pdfium b/third_party/libtiff/README.pdfium
index 2f9c4f929f..66049c4e98 100644
--- a/third_party/libtiff/README.pdfium
+++ b/third_party/libtiff/README.pdfium
@@ -17,3 +17,4 @@ Local Modifications:
0005-Leak-TIFFFetchStripThing.patch: Fix a memory leak
0006-HeapBufferOverflow-ChopUpSingleUncompressedStrip.patch: Fix a heap buffer overflow
0007-uninitialized-value.patch: Fix potentially uninitialized dircount value
+0008-HeapBufferOverflow-ChopUpSingleUncompressedStrip.patch: Fix a heap buffer overflow
diff --git a/third_party/libtiff/tif_aux.c b/third_party/libtiff/tif_aux.c
index 3ce3680ab2..bc4ea01928 100644
--- a/third_party/libtiff/tif_aux.c
+++ b/third_party/libtiff/tif_aux.c
@@ -69,7 +69,7 @@ _TIFFCheckRealloc(TIFF* tif, void* buffer,
/*
* XXX: Check for integer overflow.
*/
- if (nmemb && elem_size && !_TIFFIfMultiplicationOverflow(nmemb, elem_size))
+ if (nmemb > 0 && elem_size > 0 && !_TIFFIfMultiplicationOverflow(nmemb, elem_size))
cp = _TIFFrealloc(buffer, bytes);
if (cp == NULL) {