summaryrefslogtreecommitdiff
path: root/third_party/libtiff
AgeCommit message (Collapse)Author
2017-07-28LibTIFF: upstream patch to fix null dereferenceNicolas Pena
This CL applies this patch that fixes a recent null dereference regression: https://github.com/vadz/libtiff/commit/57f4b28c00d78bd5d74768585d0e46b2e12e94f7 Bug: chromium:743621 Change-Id: I0f9d4321dc6ea71dd31cf0ba8420cc25d401f0d8 Reviewed-on: https://pdfium-review.googlesource.com/9490 Reviewed-by: Tom Sepez <tsepez@chromium.org> Commit-Queue: Nicolás Peña <npm@chromium.org>
2017-07-27Define SIZEOF_VOIDP and other cleanup in tiffconfNicolas Pena
This CL uses sizeof to calculate sizes in tiffconf. It adds SIZEOF_VOIDP to allow LibTIFF to take codepaths reducing OOMs. Finally, it gets rid of _FX_WIN32_MOBILE_ since it's never defined. Bug: chromium:718494 Change-Id: I9e6fb2812487ccd7d08e56fd1954c716ddccd07b Reviewed-on: https://pdfium-review.googlesource.com/9410 Reviewed-by: Tom Sepez <tsepez@chromium.org> Commit-Queue: Nicolás Peña <npm@chromium.org>
2017-07-20LibTIFF: remove a couple of patchesNicolas Pena
This CL removes two patches that correspond to non-security CF bugs. There are now only a few patches left: two patches to prevent overflow in _TIFFCheckRealloc (overflows here are dangerous as they can cause heap-buffer-overflows), one patch to prevent integer overflows which CF reported as a security issue, and one recent upstream patch (which would be removed in the next LibTIFF upgrade). Next steps: * Figure out how to reproduce the security issue from _TIFFCheckRealloc (samples from the bugs seem to just timeout on asan) and report bug upstream once it's confirmed that a change is needed. * Ditto integer overflow, except it was already reported upstream, so ping upstream once reproduction without the patch is possible again. Change-Id: I6f9096a6e69698d5ded6a59c4aca5e07b351e716 Reviewed-on: https://pdfium-review.googlesource.com/8532 Reviewed-by: dsinclair <dsinclair@chromium.org> Commit-Queue: Nicolás Peña <npm@chromium.org>
2017-07-20Upgrade LibTIFF to 4.0.8Nicolas Pena
This CL upgrades LibTIFF, removing patch files that correspond to bugs that have been resolved in 4.0.8. Change-Id: Id99d2fc9b3f25993dcb60cf1558b73674eb725bf Reviewed-on: https://pdfium-review.googlesource.com/8490 Reviewed-by: dsinclair <dsinclair@chromium.org> Commit-Queue: Nicolás Peña <npm@chromium.org>
2017-07-13Libtiff OOM upstream patchNicolas Pena
This CL applies two upstream patches that help with OOM problems: https://github.com/vadz/libtiff/commit/1077fad562e03d1cad591dd10163dd80ad63ab0e https://github.com/vadz/libtiff/commit/0a619f1e553e46df8022b889ff44f8a1faa1e48d These do not yet fix the bug below. Bug: chromium:718494 Change-Id: If68c20f504b27c07dba2765f8e5ef708c1a54d7e Reviewed-on: https://pdfium-review.googlesource.com/7731 Reviewed-by: dsinclair <dsinclair@chromium.org> Commit-Queue: Nicolás Peña <npm@chromium.org>
2017-06-26Add comment in libtiff patchNicolas Pena
This CL adds a comment to point to the upstream bug of a patch fixing an OOM. The fix is fine for us but not accepted upstream so it should be ignored once upstream fixes the bug. Bug: chromium:681311 Change-Id: I6986fb7c851e260e84f764449ff1ee46441e71b4 Reviewed-on: https://pdfium-review.googlesource.com/6953 Reviewed-by: dsinclair <dsinclair@chromium.org> Commit-Queue: Nicolás Peña <npm@chromium.org>
2017-05-15Libtiff: upstream fix for heap buffer overflowNicolas Pena
Upstream patch: https://github.com/vadz/libtiff/commit/5a4eceed8d2f28d05f49add9ce647684d59d461a Bug: chromium:722071 Change-Id: Idef412edbeb3255375ab18c68721dbaf7c601119 Reviewed-on: https://pdfium-review.googlesource.com/5511 Commit-Queue: dsinclair <dsinclair@chromium.org> Reviewed-by: dsinclair <dsinclair@chromium.org>
2017-04-18Libtiff upstream security fixesNicolas Pena
Upstream patches applied: https://github.com/vadz/libtiff/commit/47f2fb61a3a64667bce1a8398a8fcb1b348ff122 https://github.com/vadz/libtiff/commit/0abd094b6e5079c4d8be733829240491cb230f3d https://github.com/vadz/libtiff/commit/3144e57770c1e4d26520d8abee750f8ac8b75490 https://github.com/vadz/libtiff/commit/3cfd62d77c2a7e147a05bd678524c345fa9c2bb8 https://github.com/vadz/libtiff/commit/0a76a8c765c7b8327c59646284fa78c3c27e5490 https://github.com/vadz/libtiff/commit/66e7bd59520996740e4df5495a830b42fae48bc4 Bug: chromium:711638 Change-Id: I017bfa91f7682c190bd7f8dbe36c2c3d1ac68728 Reviewed-on: https://pdfium-review.googlesource.com/4313 Reviewed-by: Tom Sepez <tsepez@chromium.org> Commit-Queue: Nicolás Peña <npm@chromium.org>
2017-04-18Libtiff upstream: _TIFFcalloc additionNicolas Pena
Upstream commit: https://github.com/vadz/libtiff/commit/d60332057b9575ada4f264489582b13e30137be1 Bug: chromium:711638 Change-Id: I46de1a00f9bb8d5de8df64ec78a9d62dcb4352ed Reviewed-on: https://pdfium-review.googlesource.com/4310 Reviewed-by: Tom Sepez <tsepez@chromium.org> Commit-Queue: Nicolás Peña <npm@chromium.org>
2017-04-05Libtiff: Prevent OOM in TIFFFillStripNicolas Pena
In TIFFFillStrip, calls to TIFFReadBufferSetup may allocate large amounts of memory. In this CL we do sanity checks on the claimed size of the raw strip data before that happens, to prevent out-of-memory. Bug: chromium:707431 Change-Id: I4e7c9a8630fad11d4f68a3ceccd71ffa511f4293 Reviewed-on: https://pdfium-review.googlesource.com/3811 Commit-Queue: Nicolás Peña <npm@chromium.org> Reviewed-by: Lei Zhang <thestig@chromium.org> Reviewed-by: dsinclair <dsinclair@chromium.org>
2017-04-03Drop FXSYS_ from mem methodsDan Sinclair
This Cl drops the FXSYS_ from mem methods which are the same on all platforms. Bug: pdfium:694 Change-Id: I9d5ae905997dbaaec5aa0b2ae4c07358ed9c6236 Reviewed-on: https://pdfium-review.googlesource.com/3613 Reviewed-by: Tom Sepez <tsepez@chromium.org> Commit-Queue: dsinclair <dsinclair@chromium.org>
2017-03-31Move zlib to a DEPS-based checkout.Lei Zhang
BUG=chromium:541704 Change-Id: I313d8853450ff5940b3baa4054ff441b342c46b7 Reviewed-on: https://pdfium-review.googlesource.com/3350 Commit-Queue: Lei Zhang <thestig@chromium.org> Reviewed-by: dsinclair <dsinclair@chromium.org> Reviewed-by: Nicolás Peña <npm@chromium.org>
2017-03-30Libtiff security upstream patchesNicolas Pena
CL list: https://github.com/vadz/libtiff/commit/438274f938e046d33cb0e1230b41da32ffe223e1 https://github.com/vadz/libtiff/commit/43bc256d8ae44b92d2734a3c5bc73957a4d7c1ec https://github.com/vadz/libtiff/commit/1044b43637fa7f70fb19b93593777b78bd20da86 https://github.com/vadz/libtiff/commit/9a72a69e035ee70ff5c41541c8c61cd97990d018 https://github.com/vadz/libtiff/commit/b4b41925115059b49f97432bda0613411df2f686 Bug: chromium:706349 Change-Id: I782156e7486919a62e25eeb95cb8699f1b2c5ee1 Reviewed-on: https://pdfium-review.googlesource.com/3374 Reviewed-by: dsinclair <dsinclair@chromium.org> Reviewed-by: Lei Zhang <thestig@chromium.org> Commit-Queue: Nicolás Peña <npm@chromium.org>
2017-03-29Do more checks before big allocs in TIFFReadDirEntryArrayNicolas Pena
This CL fixes the only caller to TIFFReadDirEntryData with potentially large size so that we avoid big mallocs when we know we will fail. It does this as follows: - Avoid the unnecessary computations if datasize is very small. We don't want to be slower in this case. - If !isMapped(tif), we will Seek and Read. Check that ending position is reachable. In the other case, do a simple check for out of bounds. Bug: chromium:681311 Change-Id: Ia172d8b4d401753b7c8d5455dc1ada5335f6fa6b Reviewed-on: https://pdfium-review.googlesource.com/3253 Commit-Queue: Nicolás Peña <npm@chromium.org> Reviewed-by: Lei Zhang <thestig@chromium.org>
2017-03-27Update to zlib 1.2.11Adenilson Cavalcanti
This is the same version used by Chromium (as also the latest release of zlib). BUG=687631 Change-Id: Ia4bcdee3c36443ba01914d157ea795d7fb881a45 Reviewed-on: https://pdfium-review.googlesource.com/3096 Commit-Queue: dsinclair <dsinclair@chromium.org> Reviewed-by: dsinclair <dsinclair@chromium.org>
2017-03-21Upgrade libtiff to 4.0.7.Lei Zhang
Change-Id: If3f67767f738b7f23230ca8c37c9af2e31696e82 Reviewed-on: https://pdfium-review.googlesource.com/3117 Commit-Queue: dsinclair <dsinclair@chromium.org> Reviewed-by: dsinclair <dsinclair@chromium.org>
2017-02-27Spacing nit in libtiff patchNicolas Pena
Original patch: https://pdfium-review.googlesource.com/c/2830/ Procedure: revert original patch, cherry-pick it, fix spacing, use git diff to obtain the new patch file (index changed). Change-Id: I1b5d2fd3cc17780c9428417fb1cd1e6b9a05f1fc Reviewed-on: https://pdfium-review.googlesource.com/2848 Reviewed-by: Lei Zhang <thestig@chromium.org> Commit-Queue: Nicolás Peña <npm@chromium.org>
2017-02-24Libtiff: fix leaking tables in tif_ojpeg.cNicolas Pena
Tables should be freed before they are reassigned. This CL fixes the three places where this is not happening. BUG=694599 Change-Id: I4e7cf1a6354b1129ecaf7ddcc74d8a36ba289df7 Reviewed-on: https://pdfium-review.googlesource.com/2830 Reviewed-by: Tom Sepez <tsepez@chromium.org> Commit-Queue: Nicolás Peña <npm@chromium.org>
2017-02-09Libtiff upstream fix for large td_bitspersampleNicolas Pena
Commit: https://github.com/vadz/libtiff/commit/b5065f39ebc8b125aaa790f9003988c0d675f814 BUG=681305 Change-Id: I4e6c166f892bdac83b45e5518302bfd9cbcbd332 Reviewed-on: https://pdfium-review.googlesource.com/2571 Reviewed-by: Tom Sepez <tsepez@chromium.org> Commit-Queue: Nicolás Peña <npm@chromium.org>
2017-02-08Libtiff upstream fix for TIFFFetchNormalTagchromium/3007Nicolas Pena
Upstream commits: https://github.com/vadz/libtiff/commit/30c9234c7fd0dd5e8b1e83ad44370c875a0270ed https://github.com/vadz/libtiff/commit/89406285f318ffad27af4b200204394b2ee6ba5e BUG=690124 Change-Id: I8388ae37e94f4e62cd8f9688baf9cf5416348d0c Reviewed-on: https://pdfium-review.googlesource.com/2558 Reviewed-by: dsinclair <dsinclair@chromium.org> Reviewed-by: Tom Sepez <tsepez@chromium.org> Commit-Queue: Nicolás Peña <npm@chromium.org>
2017-01-26Fix leak in PredictorSetupDecode by calling tif_cleanup on failureNicolas Pena
tif_data and tif_cleanup are both set on the TIFFInit methods, see for instance TIFFInitPixarLog. If PredictorSetupDecode fails, whatever was filled on tif_data should be cleaned up. The previous leak fix from PixarLogSetupDecode is no longer necessary. BUG=683834 Change-Id: Ib7dec3fb8addd56fa20f2e85c4ee918222a5f97e Reviewed-on: https://pdfium-review.googlesource.com/2432 Reviewed-by: Tom Sepez <tsepez@chromium.org> Commit-Queue: Nicolás Peña <npm@chromium.org>
2017-01-25Prevent skew overflows in gtTileContigNicolas Pena
Using int64 to check whether uint32 operations have overflowed. BUG=681300 Change-Id: I4470d34f2e5e61c0bf96f1c8587cdb7805afe87b Reviewed-on: https://pdfium-review.googlesource.com/2355 Reviewed-by: Tom Sepez <tsepez@chromium.org> Commit-Queue: Nicolás Peña <npm@chromium.org>
2017-01-19Fix leak in PixarLogSetupDecodeNicolas Pena
The call may come from TIFFReadRGBAImageOriented, and there no cleanup is done. So free the memory allocation on failure. BUG=681301 Change-Id: I4ac7db03d18eddd3117649ca185dffdcc9189870 Reviewed-on: https://pdfium-review.googlesource.com/2252 Reviewed-by: dsinclair <dsinclair@chromium.org> Reviewed-by: Tom Sepez <tsepez@chromium.org> Commit-Queue: Nicolás Peña <npm@chromium.org>
2017-01-12Fix leak in OJPEGReadHeaderInfoSecTablesAcTable when read fails.Nicolas Pena
If rb is allocated memory but p != q, then it will not be assigned to sp->actable[m], so it will leak. BUG=680520 Change-Id: Ib0b178b043b2a9821fb289d033ca0ab52e4cbe48 Reviewed-on: https://pdfium-review.googlesource.com/2176 Reviewed-by: Tom Sepez <tsepez@chromium.org> Commit-Queue: Nicolás Peña <npm@chromium.org>
2017-01-12Prevent undefined shift in putagreytileNicolas Pena
Patch has been accepted upstream, see: http://bugzilla.maptools.org/show_bug.cgi?id=2658 BUG=655008 Change-Id: I7ef69e6f71e66bd7e0a4d334c4f8e60ed02213d2 Reviewed-on: https://pdfium-review.googlesource.com/2174 Reviewed-by: Tom Sepez <tsepez@chromium.org> Commit-Queue: Nicolás Peña <npm@chromium.org>
2017-01-09[libtiff] Validate refblackwhite valuesDan Sinclair
The td_refblackwhite value is currently assigned without validation. This may pose an issue as the image can specify the value as nan. This will cause problems later when we use the nan in calcluations. This CL validates each of the float values are not nan and if they are sets them to the default provided by the TIFF spec v6. BUG=chromium:632883 Change-Id: I17b01f744d3f5247c4bd3f42765a27b611dc7d8c Reviewed-on: https://pdfium-review.googlesource.com/2151 Commit-Queue: dsinclair <dsinclair@chromium.org> Reviewed-by: Tom Sepez <tsepez@chromium.org>
2017-01-05[libtiff] Fixup unitialized access issueDan Sinclair
This CL initializes the raw tif data to guard against unitialized memory access. BUG=chromium:677377 Change-Id: If272fafacd996c2e93a41fb6e477661dc0c5492c Reviewed-on: https://pdfium-review.googlesource.com/2150 Reviewed-by: Tom Sepez <tsepez@chromium.org> Commit-Queue: dsinclair <dsinclair@chromium.org>
2017-01-03Libtiff update with upstreamNicolas Pena
This CL makes the fix to the bug equal to that which has now been submitted upstream. Link: https://github.com/vadz/libtiff/commit/fa6b22a5135fdeabe860097c04f298ca0ae7f2e1 Our original CL for fixing the bug: https://codereview.chromium.org/2545723004/ BUG=657473 Change-Id: I52ae6a062ac07a0e20d0ba4ab823cbbf1d2b1ac1 Reviewed-on: https://pdfium-review.googlesource.com/2136 Commit-Queue: Nicolás Peña <npm@chromium.org> Commit-Queue: dsinclair <dsinclair@chromium.org> Reviewed-by: dsinclair <dsinclair@chromium.org>
2016-12-05Fix a leak when TIFFRGBAImageBegin failschromium/2943npm
The method to create image can fail even after ycbcr has been set, so the current way to release is not enough. TIFFRGBAImageEnd is safe in that it checks for existence before deleting, and deletes whatever has been created. BUG=657473 Review-Url: https://codereview.chromium.org/2545723004
2016-10-26libtiff: Fix unsigned vs signed comparison warning.thestig
tif_pixarlog.c revision 1.45. commitid: IX5L3QQ5Qtzcofcz BUG=chromium:654172 Review-Url: https://codereview.chromium.org/2452293002
2016-10-26libtiff: Prevent a buffer overflow in function PixarLogDecode.stackexploit
Fix potential buffer write overrun in PixarLogDecode() on corrupted/unexpected images. The issue has been fixed in upstream (libtiff revision 1.44, author: erouault, commitid: 2SqWSFG5a8Ewffcz, date: 2016-06-28 23:12:19 +0800). This CL applies the official patch to tif_pixarlog.c. BUG=chromium:654172 R=dsinclair@chromium.org, thestig@chromium.org Review-Url: https://codereview.chromium.org/2453253003
2016-10-10libtiff: Prevent a buffer overflow in function ChopUpSingleUncompressedStrip.stackexploit
The patch (https://codereview.chromium.org/2284063002) for Issue 618267 was insufficient. The integer overflow still could be triggered and could lead to heap buffer overflow. This CL strengthens integer overflow check in function _TIFFCheckRealloc. BUG=chromium:654169 R=ochang@chromium.org, tsepez@chromium.org, dsinclair@chromium.org Review-Url: https://codereview.chromium.org/2405693002
2016-10-03Fix potentially uninitialized value.chromium/2880dsinclair
Depending on what ReadOK does it's possible for |dircount16| to be used without being initialized. The read code calls back into PDFium specific code which then calls into the stream reading code. Initialize the value to be sure it is set. BUG=chromium:651632 Review-Url: https://codereview.chromium.org/2389993002
2016-09-29Move core/fxcrt/include to core/fxcrtdsinclair
BUG=pdfium:611 Review-Url: https://codereview.chromium.org/2382723003
2016-08-29Fix for #618267. Adding a method to determine if multiplication hastracy_jiang
overflow. BUG=618267 Review-Url: https://codereview.chromium.org/2284063002
2016-08-01Fix a memory leak in libtiff.thestig
BUG=633387 Review-Url: https://codereview.chromium.org/2204793002
2016-06-09Apply security fixes to libtiff that are not in 4.0.6.thestig
BUG=618164 Review-Url: https://codereview.chromium.org/2054993002
2016-03-23Move core/include/fxcrt to core/fxcrt/include.Dan Sinclair
This CL moves the fxcrt code into the core/fxcrt directory. The only exception was fx_bidi.h which was moved into core/fxcrt as it is not used outside of core/. R=tsepez@chromium.org Review URL: https://codereview.chromium.org/1825953002 .
2016-03-11Set HAVE_SEARCH_H so that pdfium/xfa builds with VS 2015Bruce Dawson
Enabling of XFA-Forms in crrev.com/1775173002 broke VS 2015 builds because of a conflict between the lfind declaration in libtiff\tiffiop.h and the one that ships with VS 2015. Defining HAVE_SEARCH_H for VS 2015 builds fixes this problem BUG=440500,593996 R=thakis@chromium.org, tsepez@chromium.org Review URL: https://codereview.chromium.org/1781043005 .
2016-01-08XFA: Remove relative includes outside of xfa/.Lei Zhang
R=tsepez@chromium.org Review URL: https://codereview.chromium.org/1572523002 .
2016-01-07XFA: Fix Windows build after upgrading libtiff, second attempt.Lei Zhang
TBR=tsepez@chromium.org Review URL: https://codereview.chromium.org/1567063003 .
2016-01-07XFA: Fix Windows build after upgrading libtiff.Lei Zhang
TBR=tsepez@chromium.org Review URL: https://codereview.chromium.org/1570443007 .
2016-01-07XFA: Add missing libtiff file from commit 9c2c87d1c744.Lei Zhang
TBR=tsepez@chromium.org Review URL: https://codereview.chromium.org/1571523002 .
2016-01-07XFA: Upgrade to libtiff 4.0.6.Lei Zhang
R=jun_fang@foxitsoftware.com, tsepez@chromium.org Review URL: https://codereview.chromium.org/1563103002 .