From ac07d340069e2f6e50d1e9aeae7140ce4d20a7de Mon Sep 17 00:00:00 2001 From: Nicolas Pena Date: Tue, 18 Apr 2017 17:13:56 -0400 Subject: Libtiff upstream security fixes MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Upstream patches applied: https://github.com/vadz/libtiff/commit/47f2fb61a3a64667bce1a8398a8fcb1b348ff122 https://github.com/vadz/libtiff/commit/0abd094b6e5079c4d8be733829240491cb230f3d https://github.com/vadz/libtiff/commit/3144e57770c1e4d26520d8abee750f8ac8b75490 https://github.com/vadz/libtiff/commit/3cfd62d77c2a7e147a05bd678524c345fa9c2bb8 https://github.com/vadz/libtiff/commit/0a76a8c765c7b8327c59646284fa78c3c27e5490 https://github.com/vadz/libtiff/commit/66e7bd59520996740e4df5495a830b42fae48bc4 Bug: chromium:711638 Change-Id: I017bfa91f7682c190bd7f8dbe36c2c3d1ac68728 Reviewed-on: https://pdfium-review.googlesource.com/4313 Reviewed-by: Tom Sepez Commit-Queue: Nicolás Peña --- third_party/libtiff/tif_jpeg.c | 14 ++++++++++++++ 1 file changed, 14 insertions(+) (limited to 'third_party/libtiff/tif_jpeg.c') diff --git a/third_party/libtiff/tif_jpeg.c b/third_party/libtiff/tif_jpeg.c index abd0b0aa2f..4f154a7c2b 100644 --- a/third_party/libtiff/tif_jpeg.c +++ b/third_party/libtiff/tif_jpeg.c @@ -1634,6 +1634,20 @@ JPEGSetupEncode(TIFF* tif) case PHOTOMETRIC_YCBCR: sp->h_sampling = td->td_ycbcrsubsampling[0]; sp->v_sampling = td->td_ycbcrsubsampling[1]; + if( sp->h_sampling == 0 || sp->v_sampling == 0 ) + { + TIFFErrorExt(tif->tif_clientdata, module, + "Invalig horizontal/vertical sampling value"); + return (0); + } + if( td->td_bitspersample > 16 ) + { + TIFFErrorExt(tif->tif_clientdata, module, + "BitsPerSample %d not allowed for JPEG", + td->td_bitspersample); + return (0); + } + /* * A ReferenceBlackWhite field *must* be present since the * default value is inappropriate for YCbCr. Fill in the -- cgit v1.2.3