From 3198c681df875f7f268f03040b64343741d4bda1 Mon Sep 17 00:00:00 2001 From: Nicolas Pena Date: Wed, 5 Apr 2017 15:50:53 -0400 Subject: Libtiff: Prevent OOM in TIFFFillStrip MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit In TIFFFillStrip, calls to TIFFReadBufferSetup may allocate large amounts of memory. In this CL we do sanity checks on the claimed size of the raw strip data before that happens, to prevent out-of-memory. Bug: chromium:707431 Change-Id: I4e7c9a8630fad11d4f68a3ceccd71ffa511f4293 Reviewed-on: https://pdfium-review.googlesource.com/3811 Commit-Queue: Nicolás Peña Reviewed-by: Lei Zhang Reviewed-by: dsinclair --- third_party/libtiff/0021-oom-TIFFFillStrip.patch | 18 ++++++++++++++++++ third_party/libtiff/README.pdfium | 1 + third_party/libtiff/tif_read.c | 7 +++++++ 3 files changed, 26 insertions(+) create mode 100644 third_party/libtiff/0021-oom-TIFFFillStrip.patch diff --git a/third_party/libtiff/0021-oom-TIFFFillStrip.patch b/third_party/libtiff/0021-oom-TIFFFillStrip.patch new file mode 100644 index 0000000000..a64dc5ed13 --- /dev/null +++ b/third_party/libtiff/0021-oom-TIFFFillStrip.patch @@ -0,0 +1,18 @@ +diff --git a/third_party/libtiff/tif_read.c b/third_party/libtiff/tif_read.c +index 1ba100e54..c25e7e79f 100644 +--- a/third_party/libtiff/tif_read.c ++++ b/third_party/libtiff/tif_read.c +@@ -616,6 +616,13 @@ TIFFFillStrip(TIFF* tif, uint32 strip) + TIFFErrorExt(tif->tif_clientdata,module,"Integer overflow"); + return(0); + } ++ const tmsize_t size=isMapped(tif)? tif->tif_size : (tmsize_t)TIFFGetFileSize(tif); ++ if (bytecountm > size) { ++ TIFFErrorExt(tif->tif_clientdata, module, ++ "Requested read strip size %lu is too large", ++ (unsigned long) strip); ++ return (0); ++ } + if (bytecountm > tif->tif_rawdatasize) { + tif->tif_curstrip = NOSTRIP; + if ((tif->tif_flags & TIFF_MYBUFFER) == 0) { diff --git a/third_party/libtiff/README.pdfium b/third_party/libtiff/README.pdfium index 55a314630a..b11066fedd 100644 --- a/third_party/libtiff/README.pdfium +++ b/third_party/libtiff/README.pdfium @@ -25,3 +25,4 @@ Local Modifications: 0018-fix-leak-in-PredictorSetupDecode.patch: call tif->tif_cleanup if the setup fails. 0019-oom-TIFFReadDirEntryArray.patch: Try to avoid out-of-memory in tif_dirread.c. 0020-upstream-security-fixes.patch: patch our copy with several upstream security fixes. +0021-oom-TIFFFillStrip.patch: Try to avoid out-of-memory in tif_read.c diff --git a/third_party/libtiff/tif_read.c b/third_party/libtiff/tif_read.c index 1ba100e54c..c25e7e79f0 100644 --- a/third_party/libtiff/tif_read.c +++ b/third_party/libtiff/tif_read.c @@ -616,6 +616,13 @@ TIFFFillStrip(TIFF* tif, uint32 strip) TIFFErrorExt(tif->tif_clientdata,module,"Integer overflow"); return(0); } + const tmsize_t size=isMapped(tif)? tif->tif_size : (tmsize_t)TIFFGetFileSize(tif); + if (bytecountm > size) { + TIFFErrorExt(tif->tif_clientdata, module, + "Requested read strip size %lu is too large", + (unsigned long) strip); + return (0); + } if (bytecountm > tif->tif_rawdatasize) { tif->tif_curstrip = NOSTRIP; if ((tif->tif_flags & TIFF_MYBUFFER) == 0) { -- cgit v1.2.3