LibTIFF: upstream patch to fix null dereference
This CL applies this patch that fixes a recent null dereference regression:
https://github.com/vadz/libtiff/commit/57f4b28c00d78bd5d74768585d0e46b2e12e94f7
Bug: chromium:743621
Change-Id: I0f9d4321dc6ea71dd31cf0ba8420cc25d401f0d8
Reviewed-on: https://pdfium-review.googlesource.com/9490
Reviewed-by: Tom Sepez <tsepez@chromium.org>
Commit-Queue: Nicolás Peña <npm@chromium.org>
diff --git a/third_party/libtiff/0026-upstream-null-dereference.patch b/third_party/libtiff/0026-upstream-null-dereference.patch
new file mode 100644
index 0000000..052645f
--- /dev/null
+++ b/third_party/libtiff/0026-upstream-null-dereference.patch
@@ -0,0 +1,22 @@
+diff --git a/third_party/libtiff/tif_getimage.c b/third_party/libtiff/tif_getimage.c
+index 03c9a81fb..d37f729c4 100644
+--- a/third_party/libtiff/tif_getimage.c
++++ b/third_party/libtiff/tif_getimage.c
+@@ -681,7 +681,7 @@ gtTileContig(TIFFRGBAImage* img, uint32* raster, uint32 w, uint32 h)
+ return (0);
+ }
+ leftmost_toskew = safeskew;
+- for (row = 0; row < h; row += nrow)
++ for (row = 0; ret != 0 && row < h; row += nrow)
+ {
+ rowstoread = th - (row + img->row_offset) % th;
+ nrow = (row + rowstoread > h ? h - row : rowstoread);
+@@ -830,7 +830,7 @@ gtTileSeparate(TIFFRGBAImage* img, uint32* raster, uint32 w, uint32 h)
+ leftmost_fromskew = img->col_offset % tw;
+ leftmost_tw = tw - leftmost_fromskew;
+ leftmost_toskew = toskew + leftmost_fromskew;
+- for (row = 0; row < h; row += nrow)
++ for (row = 0; ret != 0 && row < h; row += nrow)
+ {
+ rowstoread = th - (row + img->row_offset) % th;
+ nrow = (row + rowstoread > h ? h - row : rowstoread);
diff --git a/third_party/libtiff/README.pdfium b/third_party/libtiff/README.pdfium
index d881207..80cc637 100644
--- a/third_party/libtiff/README.pdfium
+++ b/third_party/libtiff/README.pdfium
@@ -15,3 +15,4 @@
0008-HeapBufferOverflow-ChopUpSingleUncompressedStrip.patch: Fix a heap buffer overflow
0017-safe_skews_in_gtTileContig.patch: return error if to/from skews overflow from int32.
0025-upstream-OOM-gtTileContig: allocates the decoded buffer only after a first successful TIFFFillStrip.
+0026-upstream-null-dereference: properly evit when stoponerr is set and avoid null dereferences.
diff --git a/third_party/libtiff/tif_getimage.c b/third_party/libtiff/tif_getimage.c
index 03c9a81..d37f729 100644
--- a/third_party/libtiff/tif_getimage.c
+++ b/third_party/libtiff/tif_getimage.c
@@ -681,7 +681,7 @@
return (0);
}
leftmost_toskew = safeskew;
- for (row = 0; row < h; row += nrow)
+ for (row = 0; ret != 0 && row < h; row += nrow)
{
rowstoread = th - (row + img->row_offset) % th;
nrow = (row + rowstoread > h ? h - row : rowstoread);
@@ -830,7 +830,7 @@
leftmost_fromskew = img->col_offset % tw;
leftmost_tw = tw - leftmost_fromskew;
leftmost_toskew = toskew + leftmost_fromskew;
- for (row = 0; row < h; row += nrow)
+ for (row = 0; ret != 0 && row < h; row += nrow)
{
rowstoread = th - (row + img->row_offset) % th;
nrow = (row + rowstoread > h ? h - row : rowstoread);