summaryrefslogtreecommitdiff
path: root/media-libs/tiff/files/tiff-4.0.7-pdfium-0017-safe_skews_in_gtTileContig.patch
diff options
context:
space:
mode:
Diffstat (limited to 'media-libs/tiff/files/tiff-4.0.7-pdfium-0017-safe_skews_in_gtTileContig.patch')
-rw-r--r--media-libs/tiff/files/tiff-4.0.7-pdfium-0017-safe_skews_in_gtTileContig.patch97
1 files changed, 97 insertions, 0 deletions
diff --git a/media-libs/tiff/files/tiff-4.0.7-pdfium-0017-safe_skews_in_gtTileContig.patch b/media-libs/tiff/files/tiff-4.0.7-pdfium-0017-safe_skews_in_gtTileContig.patch
new file mode 100644
index 000000000000..7914743393ff
--- /dev/null
+++ b/media-libs/tiff/files/tiff-4.0.7-pdfium-0017-safe_skews_in_gtTileContig.patch
@@ -0,0 +1,97 @@
+https://pdfium-review.googlesource.com/2355
+https://crbug.com/681300
+https://pdfium.googlesource.com/pdfium/+/master/libtiff/
+
+Author: Nicolas Pena <npm@chromium.org>
+Date: Wed Jan 25 10:41:06 2017 -0500
+
+Prevent skew overflows in gtTileContig
+
+Using int64 to check whether uint32 operations have overflowed.
+
+--- a/libtiff/tif_getimage.c
++++ b/libtiff/tif_getimage.c
+@@ -31,6 +31,7 @@
+ */
+ #include "tiffiop.h"
+ #include <stdio.h>
++#include <limits.h>
+
+ static int gtTileContig(TIFFRGBAImage*, uint32*, uint32, uint32);
+ static int gtTileSeparate(TIFFRGBAImage*, uint32*, uint32, uint32);
+@@ -629,6 +628,7 @@ gtTileContig(TIFFRGBAImage* img, uint32* raster, uint32 w, uint32 h)
+ uint32 tw, th;
+ unsigned char* buf;
+ int32 fromskew, toskew;
++ int64 safeskew;
+ uint32 nrow;
+ int ret = 1, flip;
+ uint32 this_tw, tocol;
+@@ -649,19 +647,37 @@ gtTileContig(TIFFRGBAImage* img, uint32* raster, uint32 w, uint32 h)
+ flip = setorientation(img);
+ if (flip & FLIP_VERTICALLY) {
+ y = h - 1;
+- toskew = -(int32)(tw + w);
++ safeskew = 0;
++ safeskew -= tw;
++ safeskew -= w;
+ }
+ else {
+ y = 0;
+- toskew = -(int32)(tw - w);
++ safeskew = 0;
++ safeskew -= tw;
++ safeskew +=w;
+ }
+
++ if(safeskew > INT_MAX || safeskew < INT_MIN){
++ _TIFFfree(buf);
++ TIFFErrorExt(tif->tif_clientdata, TIFFFileName(tif), "%s", "Invalid skew");
++ return (0);
++ }
++ toskew = safeskew;
++
+ /*
+ * Leftmost tile is clipped on left side if col_offset > 0.
+ */
+ leftmost_fromskew = img->col_offset % tw;
+ leftmost_tw = tw - leftmost_fromskew;
+- leftmost_toskew = toskew + leftmost_fromskew;
++ safeskew = toskew;
++ safeskew += leftmost_fromskew;
++ if(safeskew > INT_MAX || safeskew < INT_MIN){
++ _TIFFfree(buf);
++ TIFFErrorExt(tif->tif_clientdata, TIFFFileName(tif), "%s", "Invalid skew");
++ return (0);
++ }
++ leftmost_toskew = safeskew;
+ for (row = 0; row < h; row += nrow)
+ {
+ rowstoread = th - (row + img->row_offset) % th;
+@@ -704,9 +684,24 @@ gtTileContig(TIFFRGBAImage* img, uint32* raster, uint32 w, uint32 h)
+ /*
+ * Rightmost tile is clipped on right side.
+ */
+- fromskew = tw - (w - tocol);
++ safeskew = tw;
++ safeskew -= w;
++ safeskew += tocol;
++ if(safeskew > INT_MAX || safeskew < INT_MIN){
++ _TIFFfree(buf);
++ TIFFErrorExt(tif->tif_clientdata, TIFFFileName(tif), "%s", "Invalid skew");
++ return (0);
++ }
++ fromskew = safeskew;
+ this_tw = tw - fromskew;
+- this_toskew = toskew + fromskew;
++ safeskew = toskew;
++ safeskew += fromskew;
++ if(safeskew > INT_MAX || safeskew < INT_MIN){
++ _TIFFfree(buf);
++ TIFFErrorExt(tif->tif_clientdata, TIFFFileName(tif), "%s", "Invalid skew");
++ return (0);
++ }
++ this_toskew = safeskew;
+ }
+ (*put)(img, raster+y*w+tocol, tocol, y, this_tw, nrow, fromskew, this_toskew, buf + pos);
+ tocol += this_tw;
generated by cgit v1.2.3 (git 2.25.1) at 2024-08-03 02:17:10 +0000