From ac07d340069e2f6e50d1e9aeae7140ce4d20a7de Mon Sep 17 00:00:00 2001
From: Nicolas Pena <npm@chromium.org>
Date: Tue, 18 Apr 2017 17:13:56 -0400
Subject: Libtiff upstream security fixes
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Upstream patches applied:
https://github.com/vadz/libtiff/commit/47f2fb61a3a64667bce1a8398a8fcb1b348ff122
https://github.com/vadz/libtiff/commit/0abd094b6e5079c4d8be733829240491cb230f3d
https://github.com/vadz/libtiff/commit/3144e57770c1e4d26520d8abee750f8ac8b75490
https://github.com/vadz/libtiff/commit/3cfd62d77c2a7e147a05bd678524c345fa9c2bb8
https://github.com/vadz/libtiff/commit/0a76a8c765c7b8327c59646284fa78c3c27e5490
https://github.com/vadz/libtiff/commit/66e7bd59520996740e4df5495a830b42fae48bc4

Bug: chromium:711638
Change-Id: I017bfa91f7682c190bd7f8dbe36c2c3d1ac68728
Reviewed-on: https://pdfium-review.googlesource.com/4313
Reviewed-by: Tom Sepez <tsepez@chromium.org>
Commit-Queue: Nicolás Peña <npm@chromium.org>
---
 third_party/libtiff/tif_read.c | 23 ++++++++++++++++-------
 1 file changed, 16 insertions(+), 7 deletions(-)

(limited to 'third_party/libtiff/tif_read.c')

diff --git a/third_party/libtiff/tif_read.c b/third_party/libtiff/tif_read.c
index 47686a473a..c916ac8acb 100644
--- a/third_party/libtiff/tif_read.c
+++ b/third_party/libtiff/tif_read.c
@@ -420,16 +420,25 @@ TIFFReadRawStrip1(TIFF* tif, uint32 strip, void* buf, tmsize_t size,
 			return ((tmsize_t)(-1));
 		}
 	} else {
-		tmsize_t ma,mb;
+		tmsize_t ma;
 		tmsize_t n;
-		ma=(tmsize_t)td->td_stripoffset[strip];
-		mb=ma+size;
-		if ((td->td_stripoffset[strip] > (uint64)TIFF_TMSIZE_T_MAX)||(ma>tif->tif_size))
+		if ((td->td_stripoffset[strip] > (uint64)TIFF_TMSIZE_T_MAX)||
+				((ma=(tmsize_t)td->td_stripoffset[strip])>tif->tif_size))
+		{
 			n=0;
-		else if ((mb<ma)||(mb<size)||(mb>tif->tif_size))
-			n=tif->tif_size-ma;
+		}
+		else if( ma > TIFF_TMSIZE_T_MAX - size )
+		{
+			n=0;
+		}
 		else
-			n=size;
+		{
+			tmsize_t mb=ma+size;
+			if (mb>tif->tif_size)
+				n=tif->tif_size-ma;
+			else
+				n=size;
+		}
 		if (n!=size) {
 #if defined(__WIN32__) && (defined(_MSC_VER) || defined(__MINGW32__))
 			TIFFErrorExt(tif->tif_clientdata, module,
-- 
cgit v1.2.3