From 24ba0a2ef48d7be37f02056d20bb8c625f641939 Mon Sep 17 00:00:00 2001 From: stackexploit Date: Mon, 10 Oct 2016 10:58:25 -0700 Subject: libtiff: Prevent a buffer overflow in function ChopUpSingleUncompressedStrip. The patch (https://codereview.chromium.org/2284063002) for Issue 618267 was insufficient. The integer overflow still could be triggered and could lead to heap buffer overflow. This CL strengthens integer overflow check in function _TIFFCheckRealloc. BUG=chromium:654169 R=ochang@chromium.org, tsepez@chromium.org, dsinclair@chromium.org Review-Url: https://codereview.chromium.org/2405693002 --- ...8-HeapBufferOverflow-ChopUpSingleUncompressedStrip.patch | 13 +++++++++++++ third_party/libtiff/README.pdfium | 1 + third_party/libtiff/tif_aux.c | 2 +- 3 files changed, 15 insertions(+), 1 deletion(-) create mode 100644 third_party/libtiff/0008-HeapBufferOverflow-ChopUpSingleUncompressedStrip.patch diff --git a/third_party/libtiff/0008-HeapBufferOverflow-ChopUpSingleUncompressedStrip.patch b/third_party/libtiff/0008-HeapBufferOverflow-ChopUpSingleUncompressedStrip.patch new file mode 100644 index 0000000000..3d494d87ec --- /dev/null +++ b/third_party/libtiff/0008-HeapBufferOverflow-ChopUpSingleUncompressedStrip.patch @@ -0,0 +1,13 @@ +diff --git a/third_party/libtiff/tif_aux.c b/third_party/libtiff/tif_aux.c +index 3ce3680..bc4ea01 100644 +--- a/third_party/libtiff/tif_aux.c ++++ b/third_party/libtiff/tif_aux.c +@@ -69,7 +69,7 @@ _TIFFCheckRealloc(TIFF* tif, void* buffer, + /* + * XXX: Check for integer overflow. + */ +- if (nmemb && elem_size && !_TIFFIfMultiplicationOverflow(nmemb, elem_size)) ++ if (nmemb > 0 && elem_size > 0 && !_TIFFIfMultiplicationOverflow(nmemb, elem_size)) + cp = _TIFFrealloc(buffer, bytes); + + if (cp == NULL) { diff --git a/third_party/libtiff/README.pdfium b/third_party/libtiff/README.pdfium index 2f9c4f929f..66049c4e98 100644 --- a/third_party/libtiff/README.pdfium +++ b/third_party/libtiff/README.pdfium @@ -17,3 +17,4 @@ Local Modifications: 0005-Leak-TIFFFetchStripThing.patch: Fix a memory leak 0006-HeapBufferOverflow-ChopUpSingleUncompressedStrip.patch: Fix a heap buffer overflow 0007-uninitialized-value.patch: Fix potentially uninitialized dircount value +0008-HeapBufferOverflow-ChopUpSingleUncompressedStrip.patch: Fix a heap buffer overflow diff --git a/third_party/libtiff/tif_aux.c b/third_party/libtiff/tif_aux.c index 3ce3680ab2..bc4ea01928 100644 --- a/third_party/libtiff/tif_aux.c +++ b/third_party/libtiff/tif_aux.c @@ -69,7 +69,7 @@ _TIFFCheckRealloc(TIFF* tif, void* buffer, /* * XXX: Check for integer overflow. */ - if (nmemb && elem_size && !_TIFFIfMultiplicationOverflow(nmemb, elem_size)) + if (nmemb > 0 && elem_size > 0 && !_TIFFIfMultiplicationOverflow(nmemb, elem_size)) cp = _TIFFrealloc(buffer, bytes); if (cp == NULL) { -- cgit v1.2.3