From c4722a7a3b3274fb066c2aac4eb3717e648b3004 Mon Sep 17 00:00:00 2001
From: Nicolas Pena <npm@chromium.org>
Date: Mon, 15 May 2017 14:57:02 -0400
Subject: Libtiff: upstream fix for heap buffer overflow

Upstream patch:
https://github.com/vadz/libtiff/commit/5a4eceed8d2f28d05f49add9ce647684d59d461a

Bug: chromium:722071
Change-Id: Idef412edbeb3255375ab18c68721dbaf7c601119
Reviewed-on: https://pdfium-review.googlesource.com/5511
Commit-Queue: dsinclair <dsinclair@chromium.org>
Reviewed-by: dsinclair <dsinclair@chromium.org>
---
 .../libtiff/0024-upstream-PackBitsDecode-fix.patch      | 17 +++++++++++++++++
 1 file changed, 17 insertions(+)
 create mode 100644 third_party/libtiff/0024-upstream-PackBitsDecode-fix.patch

(limited to 'third_party/libtiff/0024-upstream-PackBitsDecode-fix.patch')

diff --git a/third_party/libtiff/0024-upstream-PackBitsDecode-fix.patch b/third_party/libtiff/0024-upstream-PackBitsDecode-fix.patch
new file mode 100644
index 0000000000..eaae79746d
--- /dev/null
+++ b/third_party/libtiff/0024-upstream-PackBitsDecode-fix.patch
@@ -0,0 +1,17 @@
+diff --git a/third_party/libtiff/tif_packbits.c b/third_party/libtiff/tif_packbits.c
+index d2a0165de..92185e7f7 100644
+--- a/third_party/libtiff/tif_packbits.c
++++ b/third_party/libtiff/tif_packbits.c
+@@ -244,6 +244,12 @@ PackBitsDecode(TIFF* tif, uint8* op, tmsize_t occ, uint16 s)
+                                    (unsigned long) ((tmsize_t)n - occ));
+                                n = (long)occ;
+                        }
++                       if( cc == 0 )
++                       {
++                               TIFFWarningExt(tif->tif_clientdata, module,
++                                              "Terminating PackBitsDecode due to lack of data.");
++                               break;
++                       }
+                        occ -= n;
+                        b = *bp++;
+                        cc--;
-- 
cgit v1.2.3