From 8b67b19d7e6dfb8984cc9c92ef59a81cb4edaa77 Mon Sep 17 00:00:00 2001 From: stackexploit Date: Wed, 26 Oct 2016 22:40:34 -0700 Subject: libtiff: Prevent a buffer overflow in function PixarLogDecode. Fix potential buffer write overrun in PixarLogDecode() on corrupted/unexpected images. The issue has been fixed in upstream (libtiff revision 1.44, author: erouault, commitid: 2SqWSFG5a8Ewffcz, date: 2016-06-28 23:12:19 +0800). This CL applies the official patch to tif_pixarlog.c. BUG=chromium:654172 R=dsinclair@chromium.org, thestig@chromium.org Review-Url: https://codereview.chromium.org/2453253003 --- .../0009-HeapBufferOverflow-PixarLogDecode.patch | 33 ++++++++++++++++++++++ third_party/libtiff/README.pdfium | 1 + third_party/libtiff/tif_pixarlog.c | 8 ++++++ 3 files changed, 42 insertions(+) create mode 100644 third_party/libtiff/0009-HeapBufferOverflow-PixarLogDecode.patch diff --git a/third_party/libtiff/0009-HeapBufferOverflow-PixarLogDecode.patch b/third_party/libtiff/0009-HeapBufferOverflow-PixarLogDecode.patch new file mode 100644 index 0000000000..745da03d80 --- /dev/null +++ b/third_party/libtiff/0009-HeapBufferOverflow-PixarLogDecode.patch @@ -0,0 +1,33 @@ +diff --git a/third_party/libtiff/tif_pixarlog.c b/third_party/libtiff/tif_pixarlog.c +index b93b4c7..0674fa4 100644 +--- a/third_party/libtiff/tif_pixarlog.c ++++ b/third_party/libtiff/tif_pixarlog.c +@@ -457,6 +457,7 @@ horizontalAccumulate8abgr(uint16 *wp, int n, int stride, unsigned char *op, + typedef struct { + TIFFPredictorState predict; + z_stream stream; ++ tmsize_t tbuf_size; /* only set/used on reading for now */ + uint16 *tbuf; + uint16 stride; + int state; +@@ -692,6 +693,7 @@ PixarLogSetupDecode(TIFF* tif) + sp->tbuf = (uint16 *) _TIFFmalloc(tbuf_size); + if (sp->tbuf == NULL) + return (0); ++ sp->tbuf_size = tbuf_size; + if (sp->user_datafmt == PIXARLOGDATAFMT_UNKNOWN) + sp->user_datafmt = PixarLogGuessDataFmt(td); + if (sp->user_datafmt == PIXARLOGDATAFMT_UNKNOWN) { +@@ -781,6 +783,12 @@ PixarLogDecode(TIFF* tif, uint8* op, tmsize_t occ, uint16 s) + TIFFErrorExt(tif->tif_clientdata, module, "ZLib cannot deal with buffers this size"); + return (0); + } ++ /* Check that we will not fill more than what was allocated */ ++ if (sp->stream.avail_out > sp->tbuf_size) ++ { ++ TIFFErrorExt(tif->tif_clientdata, module, "sp->stream.avail_out > sp->tbuf_size"); ++ return (0); ++ } + do { + int state = inflate(&sp->stream, Z_PARTIAL_FLUSH); + if (state == Z_STREAM_END) { diff --git a/third_party/libtiff/README.pdfium b/third_party/libtiff/README.pdfium index 66049c4e98..e0b4192e75 100644 --- a/third_party/libtiff/README.pdfium +++ b/third_party/libtiff/README.pdfium @@ -18,3 +18,4 @@ Local Modifications: 0006-HeapBufferOverflow-ChopUpSingleUncompressedStrip.patch: Fix a heap buffer overflow 0007-uninitialized-value.patch: Fix potentially uninitialized dircount value 0008-HeapBufferOverflow-ChopUpSingleUncompressedStrip.patch: Fix a heap buffer overflow +0009-HeapBufferOverflow-PixarLogDecode.patch: Fix a heap buffer overflow diff --git a/third_party/libtiff/tif_pixarlog.c b/third_party/libtiff/tif_pixarlog.c index b93b4c77f1..0674fa48d6 100644 --- a/third_party/libtiff/tif_pixarlog.c +++ b/third_party/libtiff/tif_pixarlog.c @@ -457,6 +457,7 @@ horizontalAccumulate8abgr(uint16 *wp, int n, int stride, unsigned char *op, typedef struct { TIFFPredictorState predict; z_stream stream; + tmsize_t tbuf_size; /* only set/used on reading for now */ uint16 *tbuf; uint16 stride; int state; @@ -692,6 +693,7 @@ PixarLogSetupDecode(TIFF* tif) sp->tbuf = (uint16 *) _TIFFmalloc(tbuf_size); if (sp->tbuf == NULL) return (0); + sp->tbuf_size = tbuf_size; if (sp->user_datafmt == PIXARLOGDATAFMT_UNKNOWN) sp->user_datafmt = PixarLogGuessDataFmt(td); if (sp->user_datafmt == PIXARLOGDATAFMT_UNKNOWN) { @@ -781,6 +783,12 @@ PixarLogDecode(TIFF* tif, uint8* op, tmsize_t occ, uint16 s) TIFFErrorExt(tif->tif_clientdata, module, "ZLib cannot deal with buffers this size"); return (0); } + /* Check that we will not fill more than what was allocated */ + if (sp->stream.avail_out > sp->tbuf_size) + { + TIFFErrorExt(tif->tif_clientdata, module, "sp->stream.avail_out > sp->tbuf_size"); + return (0); + } do { int state = inflate(&sp->stream, Z_PARTIAL_FLUSH); if (state == Z_STREAM_END) { -- cgit v1.2.3