Apply two libtiff patches to fix potential null pointers.
Change-Id: Ibddbff64968dc3e6b044ebed97164adfda8e6fa6
Reviewed-on: https://pdfium-review.googlesource.com/c/pdfium/+/51810
Reviewed-by: Tom Sepez <tsepez@chromium.org>
Commit-Queue: Lei Zhang <thestig@chromium.org>
diff --git a/third_party/libtiff/0029-CVE-2018-17000.patch b/third_party/libtiff/0029-CVE-2018-17000.patch
new file mode 100644
index 0000000..4546ebc
--- /dev/null
+++ b/third_party/libtiff/0029-CVE-2018-17000.patch
@@ -0,0 +1,21 @@
+diff --git a/third_party/libtiff/tif_dirwrite.c b/third_party/libtiff/tif_dirwrite.c
+index c15a28dbd..ef30c869d 100644
+--- a/third_party/libtiff/tif_dirwrite.c
++++ b/third_party/libtiff/tif_dirwrite.c
+@@ -1893,12 +1893,14 @@ TIFFWriteDirectoryTagTransferfunction(TIFF* tif, uint32* ndir, TIFFDirEntry* dir
+ n=3;
+ if (n==3)
+ {
+- if (!_TIFFmemcmp(tif->tif_dir.td_transferfunction[0],tif->tif_dir.td_transferfunction[2],m*sizeof(uint16)))
++ if (tif->tif_dir.td_transferfunction[2] == NULL ||
++ !_TIFFmemcmp(tif->tif_dir.td_transferfunction[0],tif->tif_dir.td_transferfunction[2],m*sizeof(uint16)))
+ n=2;
+ }
+ if (n==2)
+ {
+- if (!_TIFFmemcmp(tif->tif_dir.td_transferfunction[0],tif->tif_dir.td_transferfunction[1],m*sizeof(uint16)))
++ if (tif->tif_dir.td_transferfunction[1] == NULL ||
++ !_TIFFmemcmp(tif->tif_dir.td_transferfunction[0],tif->tif_dir.td_transferfunction[1],m*sizeof(uint16)))
+ n=1;
+ }
+ if (n==0)
diff --git a/third_party/libtiff/0030-CVE-2018-19210.patch b/third_party/libtiff/0030-CVE-2018-19210.patch
new file mode 100644
index 0000000..8c97080
--- /dev/null
+++ b/third_party/libtiff/0030-CVE-2018-19210.patch
@@ -0,0 +1,68 @@
+diff --git a/third_party/libtiff/tif_dir.c b/third_party/libtiff/tif_dir.c
+index 6f0b48798..028ea54a2 100644
+--- a/third_party/libtiff/tif_dir.c
++++ b/third_party/libtiff/tif_dir.c
+@@ -88,13 +88,15 @@ setDoubleArrayOneValue(double** vpp, double value, size_t nmemb)
+ * Install extra samples information.
+ */
+ static int
+-setExtraSamples(TIFFDirectory* td, va_list ap, uint32* v)
++setExtraSamples(TIFF* tif, va_list ap, uint32* v)
+ {
+ /* XXX: Unassociated alpha data == 999 is a known Corel Draw bug, see below */
+ #define EXTRASAMPLE_COREL_UNASSALPHA 999
+
+ uint16* va;
+ uint32 i;
++ TIFFDirectory* td = &tif->tif_dir;
++ static const char module[] = "setExtraSamples";
+
+ *v = (uint16) va_arg(ap, uint16_vap);
+ if ((uint16) *v > td->td_samplesperpixel)
+@@ -116,6 +118,18 @@ setExtraSamples(TIFFDirectory* td, va_list ap, uint32* v)
+ return 0;
+ }
+ }
++
++ if ( td->td_transferfunction[0] != NULL && (td->td_samplesperpixel - *v > 1) &&
++ !(td->td_samplesperpixel - td->td_extrasamples > 1))
++ {
++ TIFFWarningExt(tif->tif_clientdata,module,
++ "ExtraSamples tag value is changing, "
++ "but TransferFunction was read with a different value. Cancelling it");
++ TIFFClrFieldBit(tif,FIELD_TRANSFERFUNCTION);
++ _TIFFfree(td->td_transferfunction[0]);
++ td->td_transferfunction[0] = NULL;
++ }
++
+ td->td_extrasamples = (uint16) *v;
+ _TIFFsetShortArray(&td->td_sampleinfo, va, td->td_extrasamples);
+ return 1;
+@@ -285,6 +299,18 @@ _TIFFVSetField(TIFF* tif, uint32 tag, va_list ap)
+ _TIFFfree(td->td_smaxsamplevalue);
+ td->td_smaxsamplevalue = NULL;
+ }
++ /* Test if 3 transfer functions instead of just one are now needed
++ See http://bugzilla.maptools.org/show_bug.cgi?id=2820 */
++ if( td->td_transferfunction[0] != NULL && (v - td->td_extrasamples > 1) &&
++ !(td->td_samplesperpixel - td->td_extrasamples > 1))
++ {
++ TIFFWarningExt(tif->tif_clientdata,module,
++ "SamplesPerPixel tag value is changing, "
++ "but TransferFunction was read with a different value. Cancelling it");
++ TIFFClrFieldBit(tif,FIELD_TRANSFERFUNCTION);
++ _TIFFfree(td->td_transferfunction[0]);
++ td->td_transferfunction[0] = NULL;
++ }
+ }
+ td->td_samplesperpixel = (uint16) v;
+ break;
+@@ -361,7 +387,7 @@ _TIFFVSetField(TIFF* tif, uint32 tag, va_list ap)
+ _TIFFsetShortArray(&td->td_colormap[2], va_arg(ap, uint16*), v32);
+ break;
+ case TIFFTAG_EXTRASAMPLES:
+- if (!setExtraSamples(td, ap, &v))
++ if (!setExtraSamples(tif, ap, &v))
+ goto badvalue;
+ break;
+ case TIFFTAG_MATTEING:
diff --git a/third_party/libtiff/README.pdfium b/third_party/libtiff/README.pdfium
index 22e3ebb..f90b107 100644
--- a/third_party/libtiff/README.pdfium
+++ b/third_party/libtiff/README.pdfium
@@ -15,3 +15,5 @@
0017-safe_skews_in_gtTileContig.patch: return error if to/from skews overflow from int32.
0027-build-config.patch: #define variables so their value can be used by #if.
0028-nstrips-OOM.patch: return error for excess number of tiles/strips.
+0029-CVE-2018-17000.patch: Avoid a null pointer dereference in TIFFWriteDirectoryTagTransferfunction().
+0030-CVE-2018-19210.patch: Avoid a null pointer dereference inside _TIFFVSetField().
diff --git a/third_party/libtiff/tif_dir.c b/third_party/libtiff/tif_dir.c
index 6f0b487..028ea54 100644
--- a/third_party/libtiff/tif_dir.c
+++ b/third_party/libtiff/tif_dir.c
@@ -88,13 +88,15 @@
* Install extra samples information.
*/
static int
-setExtraSamples(TIFFDirectory* td, va_list ap, uint32* v)
+setExtraSamples(TIFF* tif, va_list ap, uint32* v)
{
/* XXX: Unassociated alpha data == 999 is a known Corel Draw bug, see below */
#define EXTRASAMPLE_COREL_UNASSALPHA 999
uint16* va;
uint32 i;
+ TIFFDirectory* td = &tif->tif_dir;
+ static const char module[] = "setExtraSamples";
*v = (uint16) va_arg(ap, uint16_vap);
if ((uint16) *v > td->td_samplesperpixel)
@@ -116,6 +118,18 @@
return 0;
}
}
+
+ if ( td->td_transferfunction[0] != NULL && (td->td_samplesperpixel - *v > 1) &&
+ !(td->td_samplesperpixel - td->td_extrasamples > 1))
+ {
+ TIFFWarningExt(tif->tif_clientdata,module,
+ "ExtraSamples tag value is changing, "
+ "but TransferFunction was read with a different value. Cancelling it");
+ TIFFClrFieldBit(tif,FIELD_TRANSFERFUNCTION);
+ _TIFFfree(td->td_transferfunction[0]);
+ td->td_transferfunction[0] = NULL;
+ }
+
td->td_extrasamples = (uint16) *v;
_TIFFsetShortArray(&td->td_sampleinfo, va, td->td_extrasamples);
return 1;
@@ -285,6 +299,18 @@
_TIFFfree(td->td_smaxsamplevalue);
td->td_smaxsamplevalue = NULL;
}
+ /* Test if 3 transfer functions instead of just one are now needed
+ See http://bugzilla.maptools.org/show_bug.cgi?id=2820 */
+ if( td->td_transferfunction[0] != NULL && (v - td->td_extrasamples > 1) &&
+ !(td->td_samplesperpixel - td->td_extrasamples > 1))
+ {
+ TIFFWarningExt(tif->tif_clientdata,module,
+ "SamplesPerPixel tag value is changing, "
+ "but TransferFunction was read with a different value. Cancelling it");
+ TIFFClrFieldBit(tif,FIELD_TRANSFERFUNCTION);
+ _TIFFfree(td->td_transferfunction[0]);
+ td->td_transferfunction[0] = NULL;
+ }
}
td->td_samplesperpixel = (uint16) v;
break;
@@ -361,7 +387,7 @@
_TIFFsetShortArray(&td->td_colormap[2], va_arg(ap, uint16*), v32);
break;
case TIFFTAG_EXTRASAMPLES:
- if (!setExtraSamples(td, ap, &v))
+ if (!setExtraSamples(tif, ap, &v))
goto badvalue;
break;
case TIFFTAG_MATTEING:
diff --git a/third_party/libtiff/tif_dirwrite.c b/third_party/libtiff/tif_dirwrite.c
index c15a28d..ef30c86 100644
--- a/third_party/libtiff/tif_dirwrite.c
+++ b/third_party/libtiff/tif_dirwrite.c
@@ -1893,12 +1893,14 @@
n=3;
if (n==3)
{
- if (!_TIFFmemcmp(tif->tif_dir.td_transferfunction[0],tif->tif_dir.td_transferfunction[2],m*sizeof(uint16)))
+ if (tif->tif_dir.td_transferfunction[2] == NULL ||
+ !_TIFFmemcmp(tif->tif_dir.td_transferfunction[0],tif->tif_dir.td_transferfunction[2],m*sizeof(uint16)))
n=2;
}
if (n==2)
{
- if (!_TIFFmemcmp(tif->tif_dir.td_transferfunction[0],tif->tif_dir.td_transferfunction[1],m*sizeof(uint16)))
+ if (tif->tif_dir.td_transferfunction[1] == NULL ||
+ !_TIFFmemcmp(tif->tif_dir.td_transferfunction[0],tif->tif_dir.td_transferfunction[1],m*sizeof(uint16)))
n=1;
}
if (n==0)