From dda2c0dc502b50d4de66b80305441bfb612ec6c1 Mon Sep 17 00:00:00 2001 From: tracy_jiang Date: Mon, 29 Aug 2016 13:42:56 -0700 Subject: Fix for #618267. Adding a method to determine if multiplication has overflow. BUG=618267 Review-Url: https://codereview.chromium.org/2284063002 --- core/fxcodec/codec/fx_codec_tiff.cpp | 4 +++ ...ferOverflow-ChopUpSingleUncompressedStrip.patch | 40 ++++++++++++++++++++++ third_party/libtiff/README.pdfium | 1 + third_party/libtiff/tif_aux.c | 2 +- third_party/libtiff/tiffio.h | 1 + 5 files changed, 47 insertions(+), 1 deletion(-) create mode 100644 third_party/libtiff/0006-HeapBufferOverflow-ChopUpSingleUncompressedStrip.patch diff --git a/core/fxcodec/codec/fx_codec_tiff.cpp b/core/fxcodec/codec/fx_codec_tiff.cpp index 09cfea4111..20fda6308f 100644 --- a/core/fxcodec/codec/fx_codec_tiff.cpp +++ b/core/fxcodec/codec/fx_codec_tiff.cpp @@ -79,6 +79,10 @@ int _TIFFmemcmp(const void* ptr1, const void* ptr2, tmsize_t size) { return FXSYS_memcmp(ptr1, ptr2, (size_t)size); } +int _TIFFIfMultiplicationOverflow(tmsize_t op1, tmsize_t op2) { + return op1 > std::numeric_limits::max() / op2; +} + TIFFErrorHandler _TIFFwarningHandler = nullptr; TIFFErrorHandler _TIFFerrorHandler = nullptr; diff --git a/third_party/libtiff/0006-HeapBufferOverflow-ChopUpSingleUncompressedStrip.patch b/third_party/libtiff/0006-HeapBufferOverflow-ChopUpSingleUncompressedStrip.patch new file mode 100644 index 0000000000..583f068c95 --- /dev/null +++ b/third_party/libtiff/0006-HeapBufferOverflow-ChopUpSingleUncompressedStrip.patch @@ -0,0 +1,40 @@ +diff --git a/core/fxcodec/codec/fx_codec_tiff.cpp b/core/fxcodec/codec/fx_codec_tiff.cpp +index 09cfea4..20fda63 100644 +--- a/core/fxcodec/codec/fx_codec_tiff.cpp ++++ b/core/fxcodec/codec/fx_codec_tiff.cpp +@@ -79,6 +79,10 @@ int _TIFFmemcmp(const void* ptr1, const void* ptr2, tmsize_t size) { + return FXSYS_memcmp(ptr1, ptr2, (size_t)size); + } + ++int _TIFFIfMultiplicationOverflow(tmsize_t op1, tmsize_t op2) { ++ return op1 > std::numeric_limits::max() / op2; ++} ++ + TIFFErrorHandler _TIFFwarningHandler = nullptr; + TIFFErrorHandler _TIFFerrorHandler = nullptr; + +diff --git a/third_party/libtiff/tif_aux.c b/third_party/libtiff/tif_aux.c +index 927150a..3ce3680 100644 +--- a/third_party/libtiff/tif_aux.c ++++ b/third_party/libtiff/tif_aux.c +@@ -69,7 +69,7 @@ _TIFFCheckRealloc(TIFF* tif, void* buffer, + /* + * XXX: Check for integer overflow. + */ +- if (nmemb && elem_size && bytes / elem_size == nmemb) ++ if (nmemb && elem_size && !_TIFFIfMultiplicationOverflow(nmemb, elem_size)) + cp = _TIFFrealloc(buffer, bytes); + + if (cp == NULL) { +diff --git a/third_party/libtiff/tiffio.h b/third_party/libtiff/tiffio.h +index 038b670..056aed2 100644 +--- a/third_party/libtiff/tiffio.h ++++ b/third_party/libtiff/tiffio.h +@@ -298,6 +298,7 @@ extern void _TIFFmemset(void* p, int v, tmsize_t c); + extern void _TIFFmemcpy(void* d, const void* s, tmsize_t c); + extern int _TIFFmemcmp(const void* p1, const void* p2, tmsize_t c); + extern void _TIFFfree(void* p); ++extern int _TIFFIfMultiplicationOverflow(tmsize_t op1, tmsize_t op2); + + /* + ** Stuff, related to tag handling and creating custom tags. diff --git a/third_party/libtiff/README.pdfium b/third_party/libtiff/README.pdfium index 05e4965c4f..936cd94e90 100644 --- a/third_party/libtiff/README.pdfium +++ b/third_party/libtiff/README.pdfium @@ -15,3 +15,4 @@ Local Modifications: 0003-CVE-2015-8781-8782-8783.patch: Security fixes 0004-CVE-2015-8784.patch: Security fixes 0005-Leak-TIFFFetchStripThing.patch: Fix a memory leak +0006-HeapBufferOverflow-ChopUpSingleUncompressedStrip.patch: Fix a heap buffer overflow diff --git a/third_party/libtiff/tif_aux.c b/third_party/libtiff/tif_aux.c index 927150a493..3ce3680ab2 100644 --- a/third_party/libtiff/tif_aux.c +++ b/third_party/libtiff/tif_aux.c @@ -69,7 +69,7 @@ _TIFFCheckRealloc(TIFF* tif, void* buffer, /* * XXX: Check for integer overflow. */ - if (nmemb && elem_size && bytes / elem_size == nmemb) + if (nmemb && elem_size && !_TIFFIfMultiplicationOverflow(nmemb, elem_size)) cp = _TIFFrealloc(buffer, bytes); if (cp == NULL) { diff --git a/third_party/libtiff/tiffio.h b/third_party/libtiff/tiffio.h index 038b67013f..056aed22f7 100644 --- a/third_party/libtiff/tiffio.h +++ b/third_party/libtiff/tiffio.h @@ -298,6 +298,7 @@ extern void _TIFFmemset(void* p, int v, tmsize_t c); extern void _TIFFmemcpy(void* d, const void* s, tmsize_t c); extern int _TIFFmemcmp(const void* p1, const void* p2, tmsize_t c); extern void _TIFFfree(void* p); +extern int _TIFFIfMultiplicationOverflow(tmsize_t op1, tmsize_t op2); /* ** Stuff, related to tag handling and creating custom tags. -- cgit v1.2.3