Google Git
Sign in
pdfium / pdfium.git / 2b25a153590a1b1efb9d08314f6e896a3b8912df^! / .
commit2b25a153590a1b1efb9d08314f6e896a3b8912df[log] [tgz]
authorTom Sepez <tsepez@chromium.org>Fri Mar 05 16:43:04 2021 +0000
committerChromium commit bot <commit-bot@chromium.org>Fri Mar 05 16:43:04 2021 +0000
tree8aabc856ee9da1563a81a99184f820d12d467adf
parent606d085a64ba5adf3627900985cec487bb46ac2e [diff]
Avoid signed overflow in PixarLogDecode().

Casting an unsigned (uInt) to a signed (tmsize_t) can be perilous
on 32-bit platforms.

Bug: chromium:1184636
Change-Id: Ie5171278573a26c6fd223319896e702dcd9510eb
Reviewed-on: https://pdfium-review.googlesource.com/c/pdfium/+/78390
Reviewed-by: Daniel Hosseinian <dhoss@chromium.org>
Commit-Queue: Tom Sepez <tsepez@chromium.org>

diff --git a/third_party/libtiff/0033-avail-out-overflow.patch b/third_party/libtiff/0033-avail-out-overflow.patch
new file mode 100644
index 0000000..08ea746
--- /dev/null
+++ b/third_party/libtiff/0033-avail-out-overflow.patch

@@ -0,0 +1,13 @@
+diff --git a/third_party/libtiff/tif_pixarlog.c b/third_party/libtiff/tif_pixarlog.c
+index 626409058..e72cc0be9 100644
+--- a/third_party/libtiff/tif_pixarlog.c
++++ b/third_party/libtiff/tif_pixarlog.c
+@@ -799,7 +799,7 @@ PixarLogDecode(TIFF* tif, uint8* op, tmsize_t occ, uint16 s)
+ 		return (0);
+ 	}
+ 	/* Check that we will not fill more than what was allocated */
+-	if ((tmsize_t)sp->stream.avail_out > sp->tbuf_size)
++        if (sp->tbuf_size < 0 || sp->stream.avail_out > (uInt) sp->tbuf_size)
+ 	{
+ 		TIFFErrorExt(tif->tif_clientdata, module, "sp->stream.avail_out > sp->tbuf_size");
+ 		return (0);

diff --git a/third_party/libtiff/README.pdfium b/third_party/libtiff/README.pdfium
index 4691827..b7d70e7 100644
--- a/third_party/libtiff/README.pdfium
+++ b/third_party/libtiff/README.pdfium

@@ -15,3 +15,4 @@
 0028-nstrips-OOM.patch: return error for excess number of tiles/strips.
 0031-safe_size_ingtStripContig.patch: return error if the size to read overflow from int32.
 0032-builtin-codecs.patch: make _TIFFBuiltinCODECS const data.
+0033-0033-avail-out-overflow.patch: signed comparison in PixarLogDecode().
\ No newline at end of file

diff --git a/third_party/libtiff/tif_pixarlog.c b/third_party/libtiff/tif_pixarlog.c
index 6264090..e72cc0b 100644
--- a/third_party/libtiff/tif_pixarlog.c
+++ b/third_party/libtiff/tif_pixarlog.c

@@ -799,7 +799,7 @@
 		return (0);
 	}
 	/* Check that we will not fill more than what was allocated */
-	if ((tmsize_t)sp->stream.avail_out > sp->tbuf_size)
+        if (sp->tbuf_size < 0 || sp->stream.avail_out > (uInt) sp->tbuf_size)
 	{
 		TIFFErrorExt(tif->tif_clientdata, module, "sp->stream.avail_out > sp->tbuf_size");
 		return (0);