media-libs/tiff/files/tiff-4.0.7-pdfium-0008-HeapBufferOverflow-ChopUpSingleUncompressedStrip.patch - mirrors/cros/chromiumos/overlays/portage-stable - Git at Google

 https://codereview.chromium.org/2405693002
 https://crbug.com/654169
 https://pdfium.googlesource.com/pdfium/+/master/libtiff/

 Author: stackexploit <stackexploit@gmail.com>
 Date:   Mon Oct 10 10:58:25 2016 -0700

 libtiff: Prevent a buffer overflow in function ChopUpSingleUncompressedStrip.

 The patch (https://codereview.chromium.org/2284063002) for Issue 618267
 was insufficient. The integer overflow still could be triggered and could
 lead to heap buffer overflow.

 This CL strengthens integer overflow check in function _TIFFCheckRealloc.

 --- a/libtiff/tif_aux.c
 +++ b/libtiff/tif_aux.c
 @@ -69,7 +69,7 @@ _TIFFCheckRealloc(TIFF* tif, void* buffer,
  	/*
  	 * XXX: Check for integer overflow.
  	 */
 -	if (nmemb && elem_size && !_TIFFIfMultiplicationOverflow(nmemb, elem_size))
 +	if (nmemb > 0 && elem_size > 0 && !_TIFFIfMultiplicationOverflow(nmemb, elem_size))
  		cp = _TIFFrealloc(buffer, bytes);

  	if (cp == NULL) {
	https://codereview.chromium.org/2405693002
	https://crbug.com/654169
	https://pdfium.googlesource.com/pdfium/+/master/libtiff/

	Author: stackexploit <stackexploit@gmail.com>
	Date: Mon Oct 10 10:58:25 2016 -0700

	libtiff: Prevent a buffer overflow in function ChopUpSingleUncompressedStrip.

	The patch (https://codereview.chromium.org/2284063002) for Issue 618267
	was insufficient. The integer overflow still could be triggered and could
	lead to heap buffer overflow.

	This CL strengthens integer overflow check in function _TIFFCheckRealloc.

	--- a/libtiff/tif_aux.c
	+++ b/libtiff/tif_aux.c
	@@ -69,7 +69,7 @@ _TIFFCheckRealloc(TIFF* tif, void* buffer,
	/*
	* XXX: Check for integer overflow.
	*/
	- if (nmemb && elem_size && !_TIFFIfMultiplicationOverflow(nmemb, elem_size))
	+ if (nmemb > 0 && elem_size > 0 && !_TIFFIfMultiplicationOverflow(nmemb, elem_size))
	cp = _TIFFrealloc(buffer, bytes);

	if (cp == NULL) {