From ac2e04797b258115b2dc768a56377d7e78038f42 Mon Sep 17 00:00:00 2001 From: Nicolas Pena Date: Wed, 8 Feb 2017 15:39:02 -0500 Subject: Libtiff upstream fix for TIFFFetchNormalTag MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Upstream commits: https://github.com/vadz/libtiff/commit/30c9234c7fd0dd5e8b1e83ad44370c875a0270ed https://github.com/vadz/libtiff/commit/89406285f318ffad27af4b200204394b2ee6ba5e BUG=690124 Change-Id: I8388ae37e94f4e62cd8f9688baf9cf5416348d0c Reviewed-on: https://pdfium-review.googlesource.com/2558 Reviewed-by: dsinclair Reviewed-by: Tom Sepez Commit-Queue: Nicolás Peña --- ...0019-fix-invalid-reads-TIFFFetchNormalTag.patch | 28 ++++++++++++++++++++++ third_party/libtiff/README.pdfium | 1 + third_party/libtiff/tif_dirread.c | 10 ++++++++ 3 files changed, 39 insertions(+) create mode 100644 third_party/libtiff/0019-fix-invalid-reads-TIFFFetchNormalTag.patch (limited to 'third_party') diff --git a/third_party/libtiff/0019-fix-invalid-reads-TIFFFetchNormalTag.patch b/third_party/libtiff/0019-fix-invalid-reads-TIFFFetchNormalTag.patch new file mode 100644 index 0000000000..9ebb7ef8db --- /dev/null +++ b/third_party/libtiff/0019-fix-invalid-reads-TIFFFetchNormalTag.patch @@ -0,0 +1,28 @@ +diff --git a/third_party/libtiff/tif_dirread.c b/third_party/libtiff/tif_dirread.c +index bc4102184..0e3f8ccd4 100644 +--- a/third_party/libtiff/tif_dirread.c ++++ b/third_party/libtiff/tif_dirread.c +@@ -4983,6 +4983,11 @@ TIFFFetchNormalTag(TIFF* tif, TIFFDirEntry* dp, int recover) + if (err==TIFFReadDirEntryErrOk) + { + int m; ++ if( dp->tdir_count > 0 && data[dp->tdir_count-1] != '\0' ) ++ { ++ TIFFWarningExt(tif->tif_clientdata,module,"ASCII value for tag \"%s\" does not end in null byte. Forcing it to be null",fip->field_name); ++ data[dp->tdir_count-1] = '\0'; ++ } + m=TIFFSetField(tif,dp->tdir_tag,(uint16)(dp->tdir_count),data); + if (data!=0) + _TIFFfree(data); +@@ -5155,6 +5160,11 @@ TIFFFetchNormalTag(TIFF* tif, TIFFDirEntry* dp, int recover) + if (err==TIFFReadDirEntryErrOk) + { + int m; ++ if( dp->tdir_count > 0 && data[dp->tdir_count-1] != '\0' ) ++ { ++ TIFFWarningExt(tif->tif_clientdata,module,"ASCII value for tag \"%s\" does not end in null byte. Forcing it to be null",fip->field_name); ++ data[dp->tdir_count-1] = '\0'; ++ } + m=TIFFSetField(tif,dp->tdir_tag,(uint32)(dp->tdir_count),data); + if (data!=0) + _TIFFfree(data); diff --git a/third_party/libtiff/README.pdfium b/third_party/libtiff/README.pdfium index 7057a58a87..6a78a1968b 100644 --- a/third_party/libtiff/README.pdfium +++ b/third_party/libtiff/README.pdfium @@ -28,3 +28,4 @@ Local Modifications: 0016-fix-leak-in-pixarlogsetupdecode.patch: Free sp->tbuf if setup fails 0017-safe_skews_in_gtTileContig.patch: return error if to/from skews overflow from int32. 0018-fix-leak-in-PredictorSetupDecode.patch: call tif->tif_cleanup if the setup fails. +0019-fix-invalid-reads-TIFFFetchNormalTag.patch: upstream security fix in tif_dirread. diff --git a/third_party/libtiff/tif_dirread.c b/third_party/libtiff/tif_dirread.c index bc4102184c..0e3f8ccd48 100644 --- a/third_party/libtiff/tif_dirread.c +++ b/third_party/libtiff/tif_dirread.c @@ -4983,6 +4983,11 @@ TIFFFetchNormalTag(TIFF* tif, TIFFDirEntry* dp, int recover) if (err==TIFFReadDirEntryErrOk) { int m; + if( dp->tdir_count > 0 && data[dp->tdir_count-1] != '\0' ) + { + TIFFWarningExt(tif->tif_clientdata,module,"ASCII value for tag \"%s\" does not end in null byte. Forcing it to be null",fip->field_name); + data[dp->tdir_count-1] = '\0'; + } m=TIFFSetField(tif,dp->tdir_tag,(uint16)(dp->tdir_count),data); if (data!=0) _TIFFfree(data); @@ -5155,6 +5160,11 @@ TIFFFetchNormalTag(TIFF* tif, TIFFDirEntry* dp, int recover) if (err==TIFFReadDirEntryErrOk) { int m; + if( dp->tdir_count > 0 && data[dp->tdir_count-1] != '\0' ) + { + TIFFWarningExt(tif->tif_clientdata,module,"ASCII value for tag \"%s\" does not end in null byte. Forcing it to be null",fip->field_name); + data[dp->tdir_count-1] = '\0'; + } m=TIFFSetField(tif,dp->tdir_tag,(uint32)(dp->tdir_count),data); if (data!=0) _TIFFfree(data); -- cgit v1.2.3