From 5e3121beff936df1b0af3749447eeda1666d5d76 Mon Sep 17 00:00:00 2001
From: Nicolas Pena <npm@chromium.org>
Date: Wed, 11 Jan 2017 16:39:20 -0500
Subject: Make tiff_read return actual length read
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

The return value is used to determine whether TIFFReadFile fails. If we
return just the length, libtiff will try reading uninitilized values
afterwards, on corrupted files.

BUG=679230, 670928

Change-Id: I579adc9d8a00e8cafab45dbdb728f1cb702da051
Reviewed-on: https://pdfium-review.googlesource.com/2172
Commit-Queue: Nicolás Peña <npm@chromium.org>
Reviewed-by: Tom Sepez <tsepez@chromium.org>
---
 core/fxcodec/codec/fx_codec_tiff.cpp | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

(limited to 'core/fxcodec/codec')

diff --git a/core/fxcodec/codec/fx_codec_tiff.cpp b/core/fxcodec/codec/fx_codec_tiff.cpp
index cf38d71b37..7818a34ec6 100644
--- a/core/fxcodec/codec/fx_codec_tiff.cpp
+++ b/core/fxcodec/codec/fx_codec_tiff.cpp
@@ -100,10 +100,14 @@ tsize_t tiff_read(thandle_t context, tdata_t buf, tsize_t length) {
   if (!increment.IsValid())
     return 0;
 
-  if (!pTiffContext->io_in()->ReadBlock(buf, pTiffContext->offset(), length))
+  FX_FILESIZE offset = pTiffContext->offset();
+  if (!pTiffContext->io_in()->ReadBlock(buf, offset, length))
     return 0;
 
   pTiffContext->set_offset(increment.ValueOrDie());
+  if (offset + length > pTiffContext->io_in()->GetSize())
+    return pTiffContext->io_in()->GetSize() - offset;
+
   return length;
 }
 
-- 
cgit v1.2.3