Google Git
Sign in
pdfium / pdfium / b2d92c2baca75048d4a12bb1aa66a7810c874fec^! / .
commitb2d92c2baca75048d4a12bb1aa66a7810c874fec[log] [tgz]
authorLei Zhang <thestig@chromium.org>Wed Mar 13 17:05:09 2019 +0000
committerChromium commit bot <commit-bot@chromium.org>Wed Mar 13 17:05:09 2019 +0000
tree1ac519ddabd3994d25ef6db239cbfabea7f11365
parent812b09bf58227da6122cc50a43d41fbfb9953c1c [diff]
Apply two libtiff patches to fix potential null pointers.

Change-Id: Ibddbff64968dc3e6b044ebed97164adfda8e6fa6
Reviewed-on: https://pdfium-review.googlesource.com/c/pdfium/+/51810
Reviewed-by: Tom Sepez <tsepez@chromium.org>
Commit-Queue: Lei Zhang <thestig@chromium.org>

diff --git a/third_party/libtiff/0029-CVE-2018-17000.patch b/third_party/libtiff/0029-CVE-2018-17000.patch
new file mode 100644
index 0000000..4546ebc
--- /dev/null
+++ b/third_party/libtiff/0029-CVE-2018-17000.patch

@@ -0,0 +1,21 @@
+diff --git a/third_party/libtiff/tif_dirwrite.c b/third_party/libtiff/tif_dirwrite.c
+index c15a28dbd..ef30c869d 100644
+--- a/third_party/libtiff/tif_dirwrite.c
++++ b/third_party/libtiff/tif_dirwrite.c
+@@ -1893,12 +1893,14 @@ TIFFWriteDirectoryTagTransferfunction(TIFF* tif, uint32* ndir, TIFFDirEntry* dir
+ 		n=3;
+ 	if (n==3)
+ 	{
+-		if (!_TIFFmemcmp(tif->tif_dir.td_transferfunction[0],tif->tif_dir.td_transferfunction[2],m*sizeof(uint16)))
++		if (tif->tif_dir.td_transferfunction[2] == NULL ||
++		    !_TIFFmemcmp(tif->tif_dir.td_transferfunction[0],tif->tif_dir.td_transferfunction[2],m*sizeof(uint16)))
+ 			n=2;
+ 	}
+ 	if (n==2)
+ 	{
+-		if (!_TIFFmemcmp(tif->tif_dir.td_transferfunction[0],tif->tif_dir.td_transferfunction[1],m*sizeof(uint16)))
++		if (tif->tif_dir.td_transferfunction[1] == NULL ||
++		    !_TIFFmemcmp(tif->tif_dir.td_transferfunction[0],tif->tif_dir.td_transferfunction[1],m*sizeof(uint16)))
+ 			n=1;
+ 	}
+ 	if (n==0)

diff --git a/third_party/libtiff/0030-CVE-2018-19210.patch b/third_party/libtiff/0030-CVE-2018-19210.patch
new file mode 100644
index 0000000..8c97080
--- /dev/null
+++ b/third_party/libtiff/0030-CVE-2018-19210.patch

@@ -0,0 +1,68 @@
+diff --git a/third_party/libtiff/tif_dir.c b/third_party/libtiff/tif_dir.c
+index 6f0b48798..028ea54a2 100644
+--- a/third_party/libtiff/tif_dir.c
++++ b/third_party/libtiff/tif_dir.c
+@@ -88,13 +88,15 @@ setDoubleArrayOneValue(double** vpp, double value, size_t nmemb)
+  * Install extra samples information.
+  */
+ static int
+-setExtraSamples(TIFFDirectory* td, va_list ap, uint32* v)
++setExtraSamples(TIFF* tif, va_list ap, uint32* v)
+ {
+ /* XXX: Unassociated alpha data == 999 is a known Corel Draw bug, see below */
+ #define EXTRASAMPLE_COREL_UNASSALPHA 999 
+ 
+ 	uint16* va;
+ 	uint32 i;
++        TIFFDirectory* td = &tif->tif_dir;
++        static const char module[] = "setExtraSamples";
+ 
+ 	*v = (uint16) va_arg(ap, uint16_vap);
+ 	if ((uint16) *v > td->td_samplesperpixel)
+@@ -116,6 +118,18 @@ setExtraSamples(TIFFDirectory* td, va_list ap, uint32* v)
+ 				return 0;
+ 		}
+ 	}
++
++        if ( td->td_transferfunction[0] != NULL && (td->td_samplesperpixel - *v > 1) &&
++                !(td->td_samplesperpixel - td->td_extrasamples > 1))
++        {
++                TIFFWarningExt(tif->tif_clientdata,module,
++                    "ExtraSamples tag value is changing, "
++                    "but TransferFunction was read with a different value. Cancelling it");
++                TIFFClrFieldBit(tif,FIELD_TRANSFERFUNCTION);
++                _TIFFfree(td->td_transferfunction[0]);
++                td->td_transferfunction[0] = NULL;
++        }
++
+ 	td->td_extrasamples = (uint16) *v;
+ 	_TIFFsetShortArray(&td->td_sampleinfo, va, td->td_extrasamples);
+ 	return 1;
+@@ -285,6 +299,18 @@ _TIFFVSetField(TIFF* tif, uint32 tag, va_list ap)
+                 _TIFFfree(td->td_smaxsamplevalue);
+                 td->td_smaxsamplevalue = NULL;
+             }
++            /* Test if 3 transfer functions instead of just one are now needed
++               See http://bugzilla.maptools.org/show_bug.cgi?id=2820 */
++            if( td->td_transferfunction[0] != NULL && (v - td->td_extrasamples > 1) &&
++                !(td->td_samplesperpixel - td->td_extrasamples > 1))
++            {
++                    TIFFWarningExt(tif->tif_clientdata,module,
++                        "SamplesPerPixel tag value is changing, "
++                        "but TransferFunction was read with a different value. Cancelling it");
++                    TIFFClrFieldBit(tif,FIELD_TRANSFERFUNCTION);
++                    _TIFFfree(td->td_transferfunction[0]);
++                    td->td_transferfunction[0] = NULL;
++            }
+         }
+ 		td->td_samplesperpixel = (uint16) v;
+ 		break;
+@@ -361,7 +387,7 @@ _TIFFVSetField(TIFF* tif, uint32 tag, va_list ap)
+ 		_TIFFsetShortArray(&td->td_colormap[2], va_arg(ap, uint16*), v32);
+ 		break;
+ 	case TIFFTAG_EXTRASAMPLES:
+-		if (!setExtraSamples(td, ap, &v))
++		if (!setExtraSamples(tif, ap, &v))
+ 			goto badvalue;
+ 		break;
+ 	case TIFFTAG_MATTEING:

diff --git a/third_party/libtiff/README.pdfium b/third_party/libtiff/README.pdfium
index 22e3ebb..f90b107 100644
--- a/third_party/libtiff/README.pdfium
+++ b/third_party/libtiff/README.pdfium

@@ -15,3 +15,5 @@
 0017-safe_skews_in_gtTileContig.patch: return error if to/from skews overflow from int32.
 0027-build-config.patch: #define variables so their value can be used by #if.
 0028-nstrips-OOM.patch: return error for excess number of tiles/strips.
+0029-CVE-2018-17000.patch: Avoid a null pointer dereference in TIFFWriteDirectoryTagTransferfunction().
+0030-CVE-2018-19210.patch: Avoid a null pointer dereference inside _TIFFVSetField().

diff --git a/third_party/libtiff/tif_dir.c b/third_party/libtiff/tif_dir.c
index 6f0b487..028ea54 100644
--- a/third_party/libtiff/tif_dir.c
+++ b/third_party/libtiff/tif_dir.c

@@ -88,13 +88,15 @@
  * Install extra samples information.
  */
 static int
-setExtraSamples(TIFFDirectory* td, va_list ap, uint32* v)
+setExtraSamples(TIFF* tif, va_list ap, uint32* v)
 {
 /* XXX: Unassociated alpha data == 999 is a known Corel Draw bug, see below */
 #define EXTRASAMPLE_COREL_UNASSALPHA 999 
 
 	uint16* va;
 	uint32 i;
+        TIFFDirectory* td = &tif->tif_dir;
+        static const char module[] = "setExtraSamples";
 
 	*v = (uint16) va_arg(ap, uint16_vap);
 	if ((uint16) *v > td->td_samplesperpixel)
@@ -116,6 +118,18 @@
 				return 0;
 		}
 	}
+
+        if ( td->td_transferfunction[0] != NULL && (td->td_samplesperpixel - *v > 1) &&
+                !(td->td_samplesperpixel - td->td_extrasamples > 1))
+        {
+                TIFFWarningExt(tif->tif_clientdata,module,
+                    "ExtraSamples tag value is changing, "
+                    "but TransferFunction was read with a different value. Cancelling it");
+                TIFFClrFieldBit(tif,FIELD_TRANSFERFUNCTION);
+                _TIFFfree(td->td_transferfunction[0]);
+                td->td_transferfunction[0] = NULL;
+        }
+
 	td->td_extrasamples = (uint16) *v;
 	_TIFFsetShortArray(&td->td_sampleinfo, va, td->td_extrasamples);
 	return 1;
@@ -285,6 +299,18 @@
                 _TIFFfree(td->td_smaxsamplevalue);
                 td->td_smaxsamplevalue = NULL;
             }
+            /* Test if 3 transfer functions instead of just one are now needed
+               See http://bugzilla.maptools.org/show_bug.cgi?id=2820 */
+            if( td->td_transferfunction[0] != NULL && (v - td->td_extrasamples > 1) &&
+                !(td->td_samplesperpixel - td->td_extrasamples > 1))
+            {
+                    TIFFWarningExt(tif->tif_clientdata,module,
+                        "SamplesPerPixel tag value is changing, "
+                        "but TransferFunction was read with a different value. Cancelling it");
+                    TIFFClrFieldBit(tif,FIELD_TRANSFERFUNCTION);
+                    _TIFFfree(td->td_transferfunction[0]);
+                    td->td_transferfunction[0] = NULL;
+            }
         }
 		td->td_samplesperpixel = (uint16) v;
 		break;
@@ -361,7 +387,7 @@
 		_TIFFsetShortArray(&td->td_colormap[2], va_arg(ap, uint16*), v32);
 		break;
 	case TIFFTAG_EXTRASAMPLES:
-		if (!setExtraSamples(td, ap, &v))
+		if (!setExtraSamples(tif, ap, &v))
 			goto badvalue;
 		break;
 	case TIFFTAG_MATTEING:

diff --git a/third_party/libtiff/tif_dirwrite.c b/third_party/libtiff/tif_dirwrite.c
index c15a28d..ef30c86 100644
--- a/third_party/libtiff/tif_dirwrite.c
+++ b/third_party/libtiff/tif_dirwrite.c

@@ -1893,12 +1893,14 @@
 		n=3;
 	if (n==3)
 	{
-		if (!_TIFFmemcmp(tif->tif_dir.td_transferfunction[0],tif->tif_dir.td_transferfunction[2],m*sizeof(uint16)))
+		if (tif->tif_dir.td_transferfunction[2] == NULL ||
+		    !_TIFFmemcmp(tif->tif_dir.td_transferfunction[0],tif->tif_dir.td_transferfunction[2],m*sizeof(uint16)))
 			n=2;
 	}
 	if (n==2)
 	{
-		if (!_TIFFmemcmp(tif->tif_dir.td_transferfunction[0],tif->tif_dir.td_transferfunction[1],m*sizeof(uint16)))
+		if (tif->tif_dir.td_transferfunction[1] == NULL ||
+		    !_TIFFmemcmp(tif->tif_dir.td_transferfunction[0],tif->tif_dir.td_transferfunction[1],m*sizeof(uint16)))
 			n=1;
 	}
 	if (n==0)