From c4722a7a3b3274fb066c2aac4eb3717e648b3004 Mon Sep 17 00:00:00 2001
From: Nicolas Pena <npm@chromium.org>
Date: Mon, 15 May 2017 14:57:02 -0400
Subject: Libtiff: upstream fix for heap buffer overflow

Upstream patch:
https://github.com/vadz/libtiff/commit/5a4eceed8d2f28d05f49add9ce647684d59d461a

Bug: chromium:722071
Change-Id: Idef412edbeb3255375ab18c68721dbaf7c601119
Reviewed-on: https://pdfium-review.googlesource.com/5511
Commit-Queue: dsinclair <dsinclair@chromium.org>
Reviewed-by: dsinclair <dsinclair@chromium.org>
---
 .../libtiff/0024-upstream-PackBitsDecode-fix.patch      | 17 +++++++++++++++++
 third_party/libtiff/README.pdfium                       |  1 +
 third_party/libtiff/tif_packbits.c                      |  6 ++++++
 3 files changed, 24 insertions(+)
 create mode 100644 third_party/libtiff/0024-upstream-PackBitsDecode-fix.patch

diff --git a/third_party/libtiff/0024-upstream-PackBitsDecode-fix.patch b/third_party/libtiff/0024-upstream-PackBitsDecode-fix.patch
new file mode 100644
index 0000000000..eaae79746d
--- /dev/null
+++ b/third_party/libtiff/0024-upstream-PackBitsDecode-fix.patch
@@ -0,0 +1,17 @@
+diff --git a/third_party/libtiff/tif_packbits.c b/third_party/libtiff/tif_packbits.c
+index d2a0165de..92185e7f7 100644
+--- a/third_party/libtiff/tif_packbits.c
++++ b/third_party/libtiff/tif_packbits.c
+@@ -244,6 +244,12 @@ PackBitsDecode(TIFF* tif, uint8* op, tmsize_t occ, uint16 s)
+                                    (unsigned long) ((tmsize_t)n - occ));
+                                n = (long)occ;
+                        }
++                       if( cc == 0 )
++                       {
++                               TIFFWarningExt(tif->tif_clientdata, module,
++                                              "Terminating PackBitsDecode due to lack of data.");
++                               break;
++                       }
+                        occ -= n;
+                        b = *bp++;
+                        cc--;
diff --git a/third_party/libtiff/README.pdfium b/third_party/libtiff/README.pdfium
index 7c329114a3..d3c9c65815 100644
--- a/third_party/libtiff/README.pdfium
+++ b/third_party/libtiff/README.pdfium
@@ -28,3 +28,4 @@ Local Modifications:
 0021-oom-TIFFFillStrip.patch: Try to avoid out-of-memory in tif_read.c
 0022-upstream-patch-0012.patch: Use the upstream solution corresponding to patch 0012.
 0023-upstream-security-fixes.patch: more upstream patches related to security issues.
+0024-upstream-PackBitsDecode-fix.patch: fix Heap-buffer-overflow in tif_packbits.c.
diff --git a/third_party/libtiff/tif_packbits.c b/third_party/libtiff/tif_packbits.c
index d2a0165de9..92185e7f74 100644
--- a/third_party/libtiff/tif_packbits.c
+++ b/third_party/libtiff/tif_packbits.c
@@ -244,6 +244,12 @@ PackBitsDecode(TIFF* tif, uint8* op, tmsize_t occ, uint16 s)
 				    (unsigned long) ((tmsize_t)n - occ));
 				n = (long)occ;
 			}
+			if( cc == 0 )
+			{
+				TIFFWarningExt(tif->tif_clientdata, module,
+					       "Terminating PackBitsDecode due to lack of data.");
+				break;
+			}
 			occ -= n;
 			b = *bp++;
 			cc--;
-- 
cgit v1.2.3