summaryrefslogtreecommitdiff
path: root/media-libs/tiff/files/tiff-4.0.7-pdfium-0008-HeapBufferOverflow-ChopUpSingleUncompressedStrip.patch
diff options
context:
space:
mode:
Diffstat (limited to 'media-libs/tiff/files/tiff-4.0.7-pdfium-0008-HeapBufferOverflow-ChopUpSingleUncompressedStrip.patch')
-rw-r--r--media-libs/tiff/files/tiff-4.0.7-pdfium-0008-HeapBufferOverflow-ChopUpSingleUncompressedStrip.patch26
1 files changed, 26 insertions, 0 deletions
diff --git a/media-libs/tiff/files/tiff-4.0.7-pdfium-0008-HeapBufferOverflow-ChopUpSingleUncompressedStrip.patch b/media-libs/tiff/files/tiff-4.0.7-pdfium-0008-HeapBufferOverflow-ChopUpSingleUncompressedStrip.patch
new file mode 100644
index 000000000000..35f59b9bffd9
--- /dev/null
+++ b/media-libs/tiff/files/tiff-4.0.7-pdfium-0008-HeapBufferOverflow-ChopUpSingleUncompressedStrip.patch
@@ -0,0 +1,26 @@
+https://codereview.chromium.org/2405693002
+https://crbug.com/654169
+https://pdfium.googlesource.com/pdfium/+/master/libtiff/
+
+Author: stackexploit <stackexploit@gmail.com>
+Date: Mon Oct 10 10:58:25 2016 -0700
+
+libtiff: Prevent a buffer overflow in function ChopUpSingleUncompressedStrip.
+
+The patch (https://codereview.chromium.org/2284063002) for Issue 618267
+was insufficient. The integer overflow still could be triggered and could
+lead to heap buffer overflow.
+
+This CL strengthens integer overflow check in function _TIFFCheckRealloc.
+
+--- a/libtiff/tif_aux.c
++++ b/libtiff/tif_aux.c
+@@ -69,7 +69,7 @@ _TIFFCheckRealloc(TIFF* tif, void* buffer,
+ /*
+ * XXX: Check for integer overflow.
+ */
+- if (nmemb && elem_size && !_TIFFIfMultiplicationOverflow(nmemb, elem_size))
++ if (nmemb > 0 && elem_size > 0 && !_TIFFIfMultiplicationOverflow(nmemb, elem_size))
+ cp = _TIFFrealloc(buffer, bytes);
+
+ if (cp == NULL) {
generated by cgit v1.2.3 (git 2.25.1) at 2024-08-03 01:01:55 +0000