diff options
Diffstat (limited to 'media-libs/tiff/files/tiff-4.0.7-pdfium-0008-HeapBufferOverflow-ChopUpSingleUncompressedStrip.patch')
-rw-r--r-- | media-libs/tiff/files/tiff-4.0.7-pdfium-0008-HeapBufferOverflow-ChopUpSingleUncompressedStrip.patch | 26 |
1 files changed, 26 insertions, 0 deletions
diff --git a/media-libs/tiff/files/tiff-4.0.7-pdfium-0008-HeapBufferOverflow-ChopUpSingleUncompressedStrip.patch b/media-libs/tiff/files/tiff-4.0.7-pdfium-0008-HeapBufferOverflow-ChopUpSingleUncompressedStrip.patch new file mode 100644 index 000000000000..35f59b9bffd9 --- /dev/null +++ b/media-libs/tiff/files/tiff-4.0.7-pdfium-0008-HeapBufferOverflow-ChopUpSingleUncompressedStrip.patch @@ -0,0 +1,26 @@ +https://codereview.chromium.org/2405693002 +https://crbug.com/654169 +https://pdfium.googlesource.com/pdfium/+/master/libtiff/ + +Author: stackexploit <stackexploit@gmail.com> +Date: Mon Oct 10 10:58:25 2016 -0700 + +libtiff: Prevent a buffer overflow in function ChopUpSingleUncompressedStrip. + +The patch (https://codereview.chromium.org/2284063002) for Issue 618267 +was insufficient. The integer overflow still could be triggered and could +lead to heap buffer overflow. + +This CL strengthens integer overflow check in function _TIFFCheckRealloc. + +--- a/libtiff/tif_aux.c ++++ b/libtiff/tif_aux.c +@@ -69,7 +69,7 @@ _TIFFCheckRealloc(TIFF* tif, void* buffer, + /* + * XXX: Check for integer overflow. + */ +- if (nmemb && elem_size && !_TIFFIfMultiplicationOverflow(nmemb, elem_size)) ++ if (nmemb > 0 && elem_size > 0 && !_TIFFIfMultiplicationOverflow(nmemb, elem_size)) + cp = _TIFFrealloc(buffer, bytes); + + if (cp == NULL) { |