Prevent an OOM error in libtiff.
BUG=chromium:781582
Change-Id: I17711956884d1902cbd86f2163155b256402ecda
Reviewed-on: https://pdfium-review.googlesource.com/17891
Reviewed-by: Chris Palmer <palmer@chromium.org>
Commit-Queue: Lei Zhang <thestig@chromium.org>
diff --git a/third_party/libtiff/0028-nstrips-OOM.patch b/third_party/libtiff/0028-nstrips-OOM.patch
new file mode 100644
index 0000000..a6db66e
--- /dev/null
+++ b/third_party/libtiff/0028-nstrips-OOM.patch
@@ -0,0 +1,26 @@
+diff --git a/third_party/libtiff/tif_dirread.c b/third_party/libtiff/tif_dirread.c
+index 772ebaf7d..ab938eac9 100644
+--- a/third_party/libtiff/tif_dirread.c
++++ b/third_party/libtiff/tif_dirread.c
+@@ -41,6 +41,7 @@
+
+ #include "tiffiop.h"
+ #include <float.h>
++#include <limits.h>
+
+ #define IGNORE 0 /* tag placeholder used below */
+ #define FAILED_FII ((uint32) -1)
+@@ -3638,6 +3639,13 @@ TIFFReadDirectory(TIFF* tif)
+ isTiled(tif) ? "tiles" : "strips");
+ goto bad;
+ }
++ if (tif->tif_dir.td_nstrips > INT_MAX) {
++ TIFFErrorExt(tif->tif_clientdata, module,
++ "Cannot handle %u number of %s",
++ tif->tif_dir.td_nstrips,
++ isTiled(tif) ? "tiles" : "strips");
++ goto bad;
++ }
+ tif->tif_dir.td_stripsperimage = tif->tif_dir.td_nstrips;
+ if (tif->tif_dir.td_planarconfig == PLANARCONFIG_SEPARATE)
+ tif->tif_dir.td_stripsperimage /= tif->tif_dir.td_samplesperpixel;
diff --git a/third_party/libtiff/README.pdfium b/third_party/libtiff/README.pdfium
index 39a8b5f..a370a49 100644
--- a/third_party/libtiff/README.pdfium
+++ b/third_party/libtiff/README.pdfium
@@ -17,3 +17,4 @@
0025-upstream-OOM-gtTileContig: allocates the decoded buffer only after a first successful TIFFFillStrip.
0026-upstream-null-dereference: properly evit when stoponerr is set and avoid null dereferences.
0027-build-config.patch: #define variables so their value can be used by #if.
+0028-nstrips-OOM.patch: return error for excess number of tiles/strips.
diff --git a/third_party/libtiff/tif_dirread.c b/third_party/libtiff/tif_dirread.c
index 772ebaf..ab938ea 100644
--- a/third_party/libtiff/tif_dirread.c
+++ b/third_party/libtiff/tif_dirread.c
@@ -41,6 +41,7 @@
#include "tiffiop.h"
#include <float.h>
+#include <limits.h>
#define IGNORE 0 /* tag placeholder used below */
#define FAILED_FII ((uint32) -1)
@@ -3638,6 +3639,13 @@
isTiled(tif) ? "tiles" : "strips");
goto bad;
}
+ if (tif->tif_dir.td_nstrips > INT_MAX) {
+ TIFFErrorExt(tif->tif_clientdata, module,
+ "Cannot handle %u number of %s",
+ tif->tif_dir.td_nstrips,
+ isTiled(tif) ? "tiles" : "strips");
+ goto bad;
+ }
tif->tif_dir.td_stripsperimage = tif->tif_dir.td_nstrips;
if (tif->tif_dir.td_planarconfig == PLANARCONFIG_SEPARATE)
tif->tif_dir.td_stripsperimage /= tif->tif_dir.td_samplesperpixel;
