From c4722a7a3b3274fb066c2aac4eb3717e648b3004 Mon Sep 17 00:00:00 2001 From: Nicolas Pena Date: Mon, 15 May 2017 14:57:02 -0400 Subject: Libtiff: upstream fix for heap buffer overflow Upstream patch: https://github.com/vadz/libtiff/commit/5a4eceed8d2f28d05f49add9ce647684d59d461a Bug: chromium:722071 Change-Id: Idef412edbeb3255375ab18c68721dbaf7c601119 Reviewed-on: https://pdfium-review.googlesource.com/5511 Commit-Queue: dsinclair Reviewed-by: dsinclair --- .../libtiff/0024-upstream-PackBitsDecode-fix.patch | 17 +++++++++++++++++ third_party/libtiff/README.pdfium | 1 + third_party/libtiff/tif_packbits.c | 6 ++++++ 3 files changed, 24 insertions(+) create mode 100644 third_party/libtiff/0024-upstream-PackBitsDecode-fix.patch diff --git a/third_party/libtiff/0024-upstream-PackBitsDecode-fix.patch b/third_party/libtiff/0024-upstream-PackBitsDecode-fix.patch new file mode 100644 index 0000000000..eaae79746d --- /dev/null +++ b/third_party/libtiff/0024-upstream-PackBitsDecode-fix.patch @@ -0,0 +1,17 @@ +diff --git a/third_party/libtiff/tif_packbits.c b/third_party/libtiff/tif_packbits.c +index d2a0165de..92185e7f7 100644 +--- a/third_party/libtiff/tif_packbits.c ++++ b/third_party/libtiff/tif_packbits.c +@@ -244,6 +244,12 @@ PackBitsDecode(TIFF* tif, uint8* op, tmsize_t occ, uint16 s) + (unsigned long) ((tmsize_t)n - occ)); + n = (long)occ; + } ++ if( cc == 0 ) ++ { ++ TIFFWarningExt(tif->tif_clientdata, module, ++ "Terminating PackBitsDecode due to lack of data."); ++ break; ++ } + occ -= n; + b = *bp++; + cc--; diff --git a/third_party/libtiff/README.pdfium b/third_party/libtiff/README.pdfium index 7c329114a3..d3c9c65815 100644 --- a/third_party/libtiff/README.pdfium +++ b/third_party/libtiff/README.pdfium @@ -28,3 +28,4 @@ Local Modifications: 0021-oom-TIFFFillStrip.patch: Try to avoid out-of-memory in tif_read.c 0022-upstream-patch-0012.patch: Use the upstream solution corresponding to patch 0012. 0023-upstream-security-fixes.patch: more upstream patches related to security issues. +0024-upstream-PackBitsDecode-fix.patch: fix Heap-buffer-overflow in tif_packbits.c. diff --git a/third_party/libtiff/tif_packbits.c b/third_party/libtiff/tif_packbits.c index d2a0165de9..92185e7f74 100644 --- a/third_party/libtiff/tif_packbits.c +++ b/third_party/libtiff/tif_packbits.c @@ -244,6 +244,12 @@ PackBitsDecode(TIFF* tif, uint8* op, tmsize_t occ, uint16 s) (unsigned long) ((tmsize_t)n - occ)); n = (long)occ; } + if( cc == 0 ) + { + TIFFWarningExt(tif->tif_clientdata, module, + "Terminating PackBitsDecode due to lack of data."); + break; + } occ -= n; b = *bp++; cc--; -- cgit v1.2.3