Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(333)

Issues Search
    My Issues | Starred     Open | Closed | All

Unified Diff: third_party/libtiff/0006-HeapBufferOverflow-ChopUpSingleUncompressedStrip.patch

Issue 2284063002: Fix for #618267. Adding a method to determine if multiplication has (Closed)
Patch Set: creating a patch and modifying readme for libtiff Created 4 years, 4 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View side-by-side diff with in-line comments
Download patch
« no previous file with comments | « core/fxcodec/codec/fx_codec_tiff.cpp ('k') | third_party/libtiff/README.pdfium » ('j') | no next file with comments »
Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
Index: third_party/libtiff/0006-HeapBufferOverflow-ChopUpSingleUncompressedStrip.patch
diff --git a/third_party/libtiff/0006-HeapBufferOverflow-ChopUpSingleUncompressedStrip.patch b/third_party/libtiff/0006-HeapBufferOverflow-ChopUpSingleUncompressedStrip.patch
new file mode 100644
index 0000000000000000000000000000000000000000..583f068c95525ef0b29a23bb768eab3d75f78581
--- /dev/null
+++ b/third_party/libtiff/0006-HeapBufferOverflow-ChopUpSingleUncompressedStrip.patch
@@ -0,0 +1,40 @@
+diff --git a/core/fxcodec/codec/fx_codec_tiff.cpp b/core/fxcodec/codec/fx_codec_tiff.cpp
+index 09cfea4..20fda63 100644
+--- a/core/fxcodec/codec/fx_codec_tiff.cpp
++++ b/core/fxcodec/codec/fx_codec_tiff.cpp
+@@ -79,6 +79,10 @@ int _TIFFmemcmp(const void* ptr1, const void* ptr2, tmsize_t size) {
+ return FXSYS_memcmp(ptr1, ptr2, (size_t)size);
+ }
+
++int _TIFFIfMultiplicationOverflow(tmsize_t op1, tmsize_t op2) {
++ return op1 > std::numeric_limits<tmsize_t>::max() / op2;
++}
++
+ TIFFErrorHandler _TIFFwarningHandler = nullptr;
+ TIFFErrorHandler _TIFFerrorHandler = nullptr;
+
+diff --git a/third_party/libtiff/tif_aux.c b/third_party/libtiff/tif_aux.c
+index 927150a..3ce3680 100644
+--- a/third_party/libtiff/tif_aux.c
++++ b/third_party/libtiff/tif_aux.c
+@@ -69,7 +69,7 @@ _TIFFCheckRealloc(TIFF* tif, void* buffer,
+ /*
+ * XXX: Check for integer overflow.
+ */
+- if (nmemb && elem_size && bytes / elem_size == nmemb)
++ if (nmemb && elem_size && !_TIFFIfMultiplicationOverflow(nmemb, elem_size))
+ cp = _TIFFrealloc(buffer, bytes);
+
+ if (cp == NULL) {
+diff --git a/third_party/libtiff/tiffio.h b/third_party/libtiff/tiffio.h
+index 038b670..056aed2 100644
+--- a/third_party/libtiff/tiffio.h
++++ b/third_party/libtiff/tiffio.h
+@@ -298,6 +298,7 @@ extern void _TIFFmemset(void* p, int v, tmsize_t c);
+ extern void _TIFFmemcpy(void* d, const void* s, tmsize_t c);
+ extern int _TIFFmemcmp(const void* p1, const void* p2, tmsize_t c);
+ extern void _TIFFfree(void* p);
++extern int _TIFFIfMultiplicationOverflow(tmsize_t op1, tmsize_t op2);
+
+ /*
+ ** Stuff, related to tag handling and creating custom tags.
« no previous file with comments | « core/fxcodec/codec/fx_codec_tiff.cpp ('k') | third_party/libtiff/README.pdfium » ('j') | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698