From 064a3e108b2a2aefde6e0be5f7246b02af6f8aab Mon Sep 17 00:00:00 2001
From: Lei Zhang <thestig@chromium.org>
Date: Tue, 7 Nov 2017 00:28:58 +0000
Subject: Prevent an OOM error in libtiff.

BUG=chromium:781582

Change-Id: I17711956884d1902cbd86f2163155b256402ecda
Reviewed-on: https://pdfium-review.googlesource.com/17891
Reviewed-by: Chris Palmer <palmer@chromium.org>
Commit-Queue: Lei Zhang <thestig@chromium.org>
---
 third_party/libtiff/0028-nstrips-OOM.patch | 26 ++++++++++++++++++++++++++
 third_party/libtiff/README.pdfium          |  1 +
 third_party/libtiff/tif_dirread.c          |  8 ++++++++
 3 files changed, 35 insertions(+)
 create mode 100644 third_party/libtiff/0028-nstrips-OOM.patch

diff --git a/third_party/libtiff/0028-nstrips-OOM.patch b/third_party/libtiff/0028-nstrips-OOM.patch
new file mode 100644
index 0000000000..a6db66ee88
--- /dev/null
+++ b/third_party/libtiff/0028-nstrips-OOM.patch
@@ -0,0 +1,26 @@
+diff --git a/third_party/libtiff/tif_dirread.c b/third_party/libtiff/tif_dirread.c
+index 772ebaf7d..ab938eac9 100644
+--- a/third_party/libtiff/tif_dirread.c
++++ b/third_party/libtiff/tif_dirread.c
+@@ -41,6 +41,7 @@
+ 
+ #include "tiffiop.h"
+ #include <float.h>
++#include <limits.h>
+ 
+ #define IGNORE 0          /* tag placeholder used below */
+ #define FAILED_FII    ((uint32) -1)
+@@ -3638,6 +3639,13 @@ TIFFReadDirectory(TIFF* tif)
+ 		    isTiled(tif) ? "tiles" : "strips");
+ 		goto bad;
+ 	}
++	if (tif->tif_dir.td_nstrips > INT_MAX) {
++		TIFFErrorExt(tif->tif_clientdata, module,
++		    "Cannot handle %u number of %s",
++		    tif->tif_dir.td_nstrips,
++		    isTiled(tif) ? "tiles" : "strips");
++		goto bad;
++	}
+ 	tif->tif_dir.td_stripsperimage = tif->tif_dir.td_nstrips;
+ 	if (tif->tif_dir.td_planarconfig == PLANARCONFIG_SEPARATE)
+ 		tif->tif_dir.td_stripsperimage /= tif->tif_dir.td_samplesperpixel;
diff --git a/third_party/libtiff/README.pdfium b/third_party/libtiff/README.pdfium
index 39a8b5f025..a370a49ce7 100644
--- a/third_party/libtiff/README.pdfium
+++ b/third_party/libtiff/README.pdfium
@@ -17,3 +17,4 @@ Local Modifications:
 0025-upstream-OOM-gtTileContig: allocates the decoded buffer only after a first successful TIFFFillStrip.
 0026-upstream-null-dereference: properly evit when stoponerr is set and avoid null dereferences.
 0027-build-config.patch: #define variables so their value can be used by #if.
+0028-nstrips-OOM.patch: return error for excess number of tiles/strips.
diff --git a/third_party/libtiff/tif_dirread.c b/third_party/libtiff/tif_dirread.c
index 772ebaf7d4..ab938eac9d 100644
--- a/third_party/libtiff/tif_dirread.c
+++ b/third_party/libtiff/tif_dirread.c
@@ -41,6 +41,7 @@
 
 #include "tiffiop.h"
 #include <float.h>
+#include <limits.h>
 
 #define IGNORE 0          /* tag placeholder used below */
 #define FAILED_FII    ((uint32) -1)
@@ -3638,6 +3639,13 @@ TIFFReadDirectory(TIFF* tif)
 		    isTiled(tif) ? "tiles" : "strips");
 		goto bad;
 	}
+	if (tif->tif_dir.td_nstrips > INT_MAX) {
+		TIFFErrorExt(tif->tif_clientdata, module,
+		    "Cannot handle %u number of %s",
+		    tif->tif_dir.td_nstrips,
+		    isTiled(tif) ? "tiles" : "strips");
+		goto bad;
+	}
 	tif->tif_dir.td_stripsperimage = tif->tif_dir.td_nstrips;
 	if (tif->tif_dir.td_planarconfig == PLANARCONFIG_SEPARATE)
 		tif->tif_dir.td_stripsperimage /= tif->tif_dir.td_samplesperpixel;
-- 
cgit v1.2.3