Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status
summaryrefslogtreecommitdiff
path: root/media-libs/tiff/files/tiff-4.0.7-pdfium-0021-oom-TIFFFillStrip.patch
diff options
context:
space:
mode:
Diffstat (limited to 'media-libs/tiff/files/tiff-4.0.7-pdfium-0021-oom-TIFFFillStrip.patch')
-rw-r--r--media-libs/tiff/files/tiff-4.0.7-pdfium-0021-oom-TIFFFillStrip.patch29
1 files changed, 29 insertions, 0 deletions
diff --git a/media-libs/tiff/files/tiff-4.0.7-pdfium-0021-oom-TIFFFillStrip.patch b/media-libs/tiff/files/tiff-4.0.7-pdfium-0021-oom-TIFFFillStrip.patch
new file mode 100644
index 000000000000..11975cf38acf
--- /dev/null
+++ b/media-libs/tiff/files/tiff-4.0.7-pdfium-0021-oom-TIFFFillStrip.patch
@@ -0,0 +1,29 @@
+https://pdfium-review.googlesource.com/3811
+https://crbug.com/707431
+https://pdfium.googlesource.com/pdfium/+/master/libtiff/
+
+Author: Nicolas Pena <npm@chromium.org>
+Date: Wed Apr 5 15:50:53 2017 -0400
+
+Libtiff: Prevent OOM in TIFFFillStrip
+
+In TIFFFillStrip, calls to TIFFReadBufferSetup may allocate large amounts of
+memory. In this CL we do sanity checks on the claimed size of the raw strip
+data before that happens, to prevent out-of-memory.
+
+--- a/libtiff/tif_read.c
++++ b/libtiff/tif_read.c
+@@ -616,6 +616,13 @@ TIFFFillStrip(TIFF* tif, uint32 strip)
+ TIFFErrorExt(tif->tif_clientdata,module,"Integer overflow");
+ return(0);
+ }
++ const tmsize_t size=isMapped(tif)? tif->tif_size : (tmsize_t)TIFFGetFileSize(tif);
++ if (bytecountm > size) {
++ TIFFErrorExt(tif->tif_clientdata, module,
++ "Requested read strip size %lu is too large",
++ (unsigned long) strip);
++ return (0);
++ }
+ if (bytecountm > tif->tif_rawdatasize) {
+ tif->tif_curstrip = NOSTRIP;
+ if ((tif->tif_flags & TIFF_MYBUFFER) == 0) {