From b1b01de0285c77f16a72736bf6abeb9598743b0a Mon Sep 17 00:00:00 2001 From: Ryan Harrison Date: Fri, 27 Apr 2018 16:08:58 +0000 Subject: Updated libtiff 4.0.8->4.0.9 Applied 0000-build-config.patch Applied 0006-HeapBufferOverflow-ChopUpSingleUncompressedStrip.patch Applied 0008-HeapBufferOverflow-ChopUpSingleUncompressedStrip.patch Updated and applied 0017-safe_skews_in_gtTileContig.patch Removed 0025-upstream-OOM-gtTileContig.patch, already applied Removed 0026-upstream-null-dereference.patch, already applied Applied 0027-build-config.patch Updated and applied 0028-nstrips-OOM.patch BUG=pdfium:1074 Change-Id: I32510327155213fd6256c5a67fa1be3a54cb975c Reviewed-on: https://pdfium-review.googlesource.com/31550 Reviewed-by: Henrique Nakashima Commit-Queue: Ryan Harrison --- .../libtiff/0017-safe_skews_in_gtTileContig.patch | 105 +++++++++++++++++++-- 1 file changed, 99 insertions(+), 6 deletions(-) (limited to 'third_party/libtiff/0017-safe_skews_in_gtTileContig.patch') diff --git a/third_party/libtiff/0017-safe_skews_in_gtTileContig.patch b/third_party/libtiff/0017-safe_skews_in_gtTileContig.patch index ad6d33daee..9fc0ed0cc9 100644 --- a/third_party/libtiff/0017-safe_skews_in_gtTileContig.patch +++ b/third_party/libtiff/0017-safe_skews_in_gtTileContig.patch @@ -1,5 +1,98 @@ +diff --git a/third_party/libtiff/0017-safe_skews_in_gtTileContig.patch b/third_party/libtiff/0017-safe_skews_in_gtTileContig.patch +index ad6d33dae..e69de29bb 100644 +--- a/third_party/libtiff/0017-safe_skews_in_gtTileContig.patch ++++ b/third_party/libtiff/0017-safe_skews_in_gtTileContig.patch +@@ -1,88 +0,0 @@ +-diff --git a/third_party/libtiff/tif_getimage.c b/third_party/libtiff/tif_getimage.c +-index 84cc1d1a7..82e19164e 100644 +---- a/third_party/libtiff/tif_getimage.c +-+++ b/third_party/libtiff/tif_getimage.c +-@@ -31,6 +31,7 @@ +- */ +- #include "tiffiop.h" +- #include +-+#include +- +- static int gtTileContig(TIFFRGBAImage*, uint32*, uint32, uint32); +- static int gtTileSeparate(TIFFRGBAImage*, uint32*, uint32, uint32); +-@@ -629,6 +628,7 @@ gtTileContig(TIFFRGBAImage* img, uint32* raster, uint32 w, uint32 h) +- uint32 tw, th; +- unsigned char* buf; +- int32 fromskew, toskew; +-+ int64 safeskew; +- uint32 nrow; +- int ret = 1, flip; +- uint32 this_tw, tocol; +-@@ -649,19 +647,37 @@ gtTileContig(TIFFRGBAImage* img, uint32* raster, uint32 w, uint32 h) +- flip = setorientation(img); +- if (flip & FLIP_VERTICALLY) { +- y = h - 1; +-- toskew = -(int32)(tw + w); +-+ safeskew = 0; +-+ safeskew -= tw; +-+ safeskew -= w; +- } +- else { +- y = 0; +-- toskew = -(int32)(tw - w); +-+ safeskew = 0; +-+ safeskew -= tw; +-+ safeskew +=w; +- } +- +-+ if(safeskew > INT_MAX || safeskew < INT_MIN){ +-+ _TIFFfree(buf); +-+ TIFFErrorExt(tif->tif_clientdata, TIFFFileName(tif), "%s", "Invalid skew"); +-+ return (0); +-+ } +-+ toskew = safeskew; +-+ +- /* +- * Leftmost tile is clipped on left side if col_offset > 0. +- */ +- leftmost_fromskew = img->col_offset % tw; +- leftmost_tw = tw - leftmost_fromskew; +-- leftmost_toskew = toskew + leftmost_fromskew; +-+ safeskew = toskew; +-+ safeskew += leftmost_fromskew; +-+ if(safeskew > INT_MAX || safeskew < INT_MIN){ +-+ _TIFFfree(buf); +-+ TIFFErrorExt(tif->tif_clientdata, TIFFFileName(tif), "%s", "Invalid skew"); +-+ return (0); +-+ } +-+ leftmost_toskew = safeskew; +- for (row = 0; row < h; row += nrow) +- { +- rowstoread = th - (row + img->row_offset) % th; +-@@ -704,9 +684,24 @@ gtTileContig(TIFFRGBAImage* img, uint32* raster, uint32 w, uint32 h) +- /* +- * Rightmost tile is clipped on right side. +- */ +-- fromskew = tw - (w - tocol); +-+ safeskew = tw; +-+ safeskew -= w; +-+ safeskew += tocol; +-+ if(safeskew > INT_MAX || safeskew < INT_MIN){ +-+ _TIFFfree(buf); +-+ TIFFErrorExt(tif->tif_clientdata, TIFFFileName(tif), "%s", "Invalid skew"); +-+ return (0); +-+ } +-+ fromskew = safeskew; +- this_tw = tw - fromskew; +-- this_toskew = toskew + fromskew; +-+ safeskew = toskew; +-+ safeskew += fromskew; +-+ if(safeskew > INT_MAX || safeskew < INT_MIN){ +-+ _TIFFfree(buf); +-+ TIFFErrorExt(tif->tif_clientdata, TIFFFileName(tif), "%s", "Invalid skew"); +-+ return (0); +-+ } +-+ this_toskew = safeskew; +- } +- (*put)(img, raster+y*w+tocol, tocol, y, this_tw, nrow, fromskew, this_toskew, buf + pos); +- tocol += this_tw; diff --git a/third_party/libtiff/tif_getimage.c b/third_party/libtiff/tif_getimage.c -index 84cc1d1a7..82e19164e 100644 +index fc554ccab..fff3f7fde 100644 --- a/third_party/libtiff/tif_getimage.c +++ b/third_party/libtiff/tif_getimage.c @@ -31,6 +31,7 @@ @@ -10,15 +103,15 @@ index 84cc1d1a7..82e19164e 100644 static int gtTileContig(TIFFRGBAImage*, uint32*, uint32, uint32); static int gtTileSeparate(TIFFRGBAImage*, uint32*, uint32, uint32); -@@ -629,6 +628,7 @@ gtTileContig(TIFFRGBAImage* img, uint32* raster, uint32 w, uint32 h) +@@ -628,6 +629,7 @@ gtTileContig(TIFFRGBAImage* img, uint32* raster, uint32 w, uint32 h) uint32 tw, th; - unsigned char* buf; + unsigned char* buf = NULL; int32 fromskew, toskew; + int64 safeskew; uint32 nrow; int ret = 1, flip; uint32 this_tw, tocol; -@@ -649,19 +647,37 @@ gtTileContig(TIFFRGBAImage* img, uint32* raster, uint32 w, uint32 h) +@@ -648,19 +650,37 @@ gtTileContig(TIFFRGBAImage* img, uint32* raster, uint32 w, uint32 h) flip = setorientation(img); if (flip & FLIP_VERTICALLY) { y = h - 1; @@ -56,10 +149,10 @@ index 84cc1d1a7..82e19164e 100644 + return (0); + } + leftmost_toskew = safeskew; - for (row = 0; row < h; row += nrow) + for (row = 0; ret != 0 && row < h; row += nrow) { rowstoread = th - (row + img->row_offset) % th; -@@ -704,9 +684,24 @@ gtTileContig(TIFFRGBAImage* img, uint32* raster, uint32 w, uint32 h) +@@ -686,9 +706,24 @@ gtTileContig(TIFFRGBAImage* img, uint32* raster, uint32 w, uint32 h) /* * Rightmost tile is clipped on right side. */ -- cgit v1.2.3