Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(2)

Issues Search
    My Issues | Starred     Open | Closed | All

Side by Side Diff: third_party/libtiff/tif_next.c

Issue 2054993002: Apply security fixes to libtiff that are not in 4.0.6. (Closed) Base URL: https://pdfium.googlesource.com/pdfium@master
Patch Set: Created 4 years, 6 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch
« no previous file with comments | « third_party/libtiff/tif_luv.c ('k') | no next file » | no next file with comments »
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
OLDNEW
1 /* $Id: tif_next.c,v 1.16 2014-12-29 12:09:11 erouault Exp $ */ 1 /* $Id: tif_next.c,v 1.16 2014-12-29 12:09:11 erouault Exp $ */
2 2
3 /* 3 /*
4 * Copyright (c) 1988-1997 Sam Leffler 4 * Copyright (c) 1988-1997 Sam Leffler
5 * Copyright (c) 1991-1997 Silicon Graphics, Inc. 5 * Copyright (c) 1991-1997 Silicon Graphics, Inc.
6 * 6 *
7 * Permission to use, copy, modify, distribute, and sell this software and 7 * Permission to use, copy, modify, distribute, and sell this software and
8 * its documentation for any purpose is hereby granted without fee, provided 8 * its documentation for any purpose is hereby granted without fee, provided
9 * that (i) the above copyright notices and this permission notice appear in 9 * that (i) the above copyright notices and this permission notice appear in
10 * all copies of the software and related documentation, and (ii) the names of 10 * all copies of the software and related documentation, and (ii) the names of
(...skipping 19 matching lines...) Expand all
30 * TIFF Library. 30 * TIFF Library.
31 * 31 *
32 * NeXT 2-bit Grey Scale Compression Algorithm Support 32 * NeXT 2-bit Grey Scale Compression Algorithm Support
33 */ 33 */
34 34
35 #define SETPIXEL(op, v) { \ 35 #define SETPIXEL(op, v) { \
36 switch (npixels++ & 3) { \ 36 switch (npixels++ & 3) { \
37 case 0: op[0] = (unsigned char) ((v) << 6); break; \ 37 case 0: op[0] = (unsigned char) ((v) << 6); break; \
38 case 1: op[0] |= (v) << 4; break; \ 38 case 1: op[0] |= (v) << 4; break; \
39 case 2: op[0] |= (v) << 2; break; \ 39 case 2: op[0] |= (v) << 2; break; \
40 » case 3:»*op++ |= (v);» break;» \ 40 » case 3:»*op++ |= (v);» op_offset++; break;» \
41 } \ 41 } \
42 } 42 }
43 43
44 #define LITERALROW 0x00 44 #define LITERALROW 0x00
45 #define LITERALSPAN 0x40 45 #define LITERALSPAN 0x40
46 #define WHITE ((1<<2)-1) 46 #define WHITE ((1<<2)-1)
47 47
48 static int 48 static int
49 NeXTDecode(TIFF* tif, uint8* buf, tmsize_t occ, uint16 s) 49 NeXTDecode(TIFF* tif, uint8* buf, tmsize_t occ, uint16 s)
50 { 50 {
(...skipping 48 matching lines...) Expand 10 before | Expand all | Expand 10 after
99 _TIFFmemcpy(row+off, bp+4, n); 99 _TIFFmemcpy(row+off, bp+4, n);
100 bp += 4+n; 100 bp += 4+n;
101 cc -= 4+n; 101 cc -= 4+n;
102 break; 102 break;
103 } 103 }
104 default: { 104 default: {
105 uint32 npixels = 0, grey; 105 uint32 npixels = 0, grey;
106 uint32 imagewidth = tif->tif_dir.td_imagewidth; 106 uint32 imagewidth = tif->tif_dir.td_imagewidth;
107 if( isTiled(tif) ) 107 if( isTiled(tif) )
108 imagewidth = tif->tif_dir.td_tilewidth; 108 imagewidth = tif->tif_dir.td_tilewidth;
109 tmsize_t op_offset = 0;
109 110
110 /* 111 /*
111 * The scanline is composed of a sequence of constant 112 * The scanline is composed of a sequence of constant
112 * color ``runs''. We shift into ``run mode'' and 113 * color ``runs''. We shift into ``run mode'' and
113 * interpret bytes as codes of the form 114 * interpret bytes as codes of the form
114 * <color><npixels> until we've filled the scanline. 115 * <color><npixels> until we've filled the scanline.
115 */ 116 */
116 op = row; 117 op = row;
117 for (;;) { 118 for (;;) {
118 grey = (uint32)((n>>6) & 0x3); 119 grey = (uint32)((n>>6) & 0x3);
119 n &= 0x3f; 120 n &= 0x3f;
120 /* 121 /*
121 * Ensure the run does not exceed the scanline 122 * Ensure the run does not exceed the scanline
122 * bounds, potentially resulting in a security 123 * bounds, potentially resulting in a security
123 * issue. 124 * issue.
124 */ 125 */
125 » » » » while (n-- > 0 && npixels < imagewidth) 126 » » » » while (n-- > 0 && npixels < imagewidth && op_off set < scanline)
126 SETPIXEL(op, grey); 127 SETPIXEL(op, grey);
127 if (npixels >= imagewidth) 128 if (npixels >= imagewidth)
128 break; 129 break;
130 if (op_offset >= scanline ) {
131 TIFFErrorExt(tif->tif_clientdata, module, "Invalid data for scanline %ld",
132 (long) tif->tif_row);
133 return (0);
134 }
129 if (cc == 0) 135 if (cc == 0)
130 goto bad; 136 goto bad;
131 n = *bp++, cc--; 137 n = *bp++, cc--;
132 } 138 }
133 break; 139 break;
134 } 140 }
135 } 141 }
136 } 142 }
137 tif->tif_rawcp = (uint8*) bp; 143 tif->tif_rawcp = (uint8*) bp;
138 tif->tif_rawcc = cc; 144 tif->tif_rawcc = cc;
(...skipping 33 matching lines...) Expand 10 before | Expand all | Expand 10 after
172 #endif /* NEXT_SUPPORT */ 178 #endif /* NEXT_SUPPORT */
173 179
174 /* vim: set ts=8 sts=8 sw=8 noet: */ 180 /* vim: set ts=8 sts=8 sw=8 noet: */
175 /* 181 /*
176 * Local Variables: 182 * Local Variables:
177 * mode: c 183 * mode: c
178 * c-basic-offset: 8 184 * c-basic-offset: 8
179 * fill-column: 78 185 * fill-column: 78
180 * End: 186 * End:
181 */ 187 */
OLDNEW
« no previous file with comments | « third_party/libtiff/tif_luv.c ('k') | no next file » | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698