| https://pdfium-review.googlesource.com/3811 |
| https://crbug.com/707431 |
| https://pdfium.googlesource.com/pdfium/+/master/libtiff/ |
| |
| Author: Nicolas Pena <npm@chromium.org> |
| Date: Wed Apr 5 15:50:53 2017 -0400 |
| |
| Libtiff: Prevent OOM in TIFFFillStrip |
| |
| In TIFFFillStrip, calls to TIFFReadBufferSetup may allocate large amounts of |
| memory. In this CL we do sanity checks on the claimed size of the raw strip |
| data before that happens, to prevent out-of-memory. |
| |
| --- a/libtiff/tif_read.c |
| +++ b/libtiff/tif_read.c |
| @@ -616,6 +616,13 @@ TIFFFillStrip(TIFF* tif, uint32 strip) |
| TIFFErrorExt(tif->tif_clientdata,module,"Integer overflow"); |
| return(0); |
| } |
| + const tmsize_t size=isMapped(tif)? tif->tif_size : (tmsize_t)TIFFGetFileSize(tif); |
| + if (bytecountm > size) { |
| + TIFFErrorExt(tif->tif_clientdata, module, |
| + "Requested read strip size %lu is too large", |
| + (unsigned long) strip); |
| + return (0); |
| + } |
| if (bytecountm > tif->tif_rawdatasize) { |
| tif->tif_curstrip = NOSTRIP; |
| if ((tif->tif_flags & TIFF_MYBUFFER) == 0) { |