Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(34)

Issue 2405693002: libtiff: Prevent a buffer overflow in function ChopUpSingleUncompressedStrip. (Closed)

Created:
4 years, 2 months ago by Ke Liu
Modified:
4 years, 2 months ago
CC:
pdfium-reviews_googlegroups.com
Target Ref:
refs/heads/master
Project:
pdfium
Visibility:
Public.

Description

libtiff: Prevent a buffer overflow in function ChopUpSingleUncompressedStrip. The patch (https://codereview.chromium.org/2284063002) for Issue 618267 was insufficient. The integer overflow still could be triggered and could lead to heap buffer overflow. This CL strengthens integer overflow check in function _TIFFCheckRealloc. BUG=chromium:654169 R=ochang@chromium.org, tsepez@chromium.org, dsinclair@chromium.org Committed: https://pdfium.googlesource.com/pdfium/+/24ba0a2ef48d7be37f02056d20bb8c625f641939

Patch Set 1 #

Total comments: 2
Unified diffs Side-by-side diffs Delta from patch set Stats (+15 lines, -1 line) Patch
A third_party/libtiff/0008-HeapBufferOverflow-ChopUpSingleUncompressedStrip.patch View 1 chunk +13 lines, -0 lines 0 comments Download
M third_party/libtiff/README.pdfium View 1 chunk +1 line, -0 lines 0 comments Download
M third_party/libtiff/tif_aux.c View 1 chunk +1 line, -1 line 2 comments Download

Messages

Total messages: 9 (3 generated)
Ke Liu
The patch (https://codereview.chromium.org/2284063002) for Issue 618267 (https://bugs.chromium.org/p/chromium/issues/detail?id=618267) was insufficient. The integer overflow still could be ...
4 years, 2 months ago (2016-10-08 04:06:02 UTC) #1
Tom Sepez
lgtm
4 years, 2 months ago (2016-10-10 17:28:42 UTC) #3
commit-bot: I haz the power
CQ is trying da patch. Follow status at https://chromium-cq-status.appspot.com/v2/patch-status/codereview.chromium.org/2405693002/1
4 years, 2 months ago (2016-10-10 17:28:48 UTC) #4
commit-bot: I haz the power
Committed patchset #1 (id:1) as https://pdfium.googlesource.com/pdfium/+/24ba0a2ef48d7be37f02056d20bb8c625f641939
4 years, 2 months ago (2016-10-10 17:58:29 UTC) #6
hong_zhang
Just a question. Thanks https://codereview.chromium.org/2405693002/diff/1/third_party/libtiff/tif_aux.c File third_party/libtiff/tif_aux.c (right): https://codereview.chromium.org/2405693002/diff/1/third_party/libtiff/tif_aux.c#newcode72 third_party/libtiff/tif_aux.c:72: if (nmemb > 0 && ...
4 years, 2 months ago (2016-10-17 18:07:38 UTC) #8
Tom Sepez
4 years, 2 months ago (2016-10-17 18:20:04 UTC) #9
Message was sent while issue was closed.
https://codereview.chromium.org/2405693002/diff/1/third_party/libtiff/tif_aux.c
File third_party/libtiff/tif_aux.c (right):

https://codereview.chromium.org/2405693002/diff/1/third_party/libtiff/tif_aux...
third_party/libtiff/tif_aux.c:72: if (nmemb > 0 && elem_size > 0 &&
!_TIFFIfMultiplicationOverflow(nmemb, elem_size))

nmemb is tmsize_t.

tmsize_t is TIFF_SSIZE_T at 
https://cs.chromium.org/chromium/src/third_party/pdfium/third_party/libtiff/t...

TIFF_SSIZE_T is always signed 
https://cs.chromium.org/chromium/src/third_party/pdfium/third_party/libtiff/t...

(like ssize_t (with two s)).

Powered by Google App Engine
This is Rietveld 408576698