You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
44 lines
1.6 KiB
44 lines
1.6 KiB
From 5c3bc1c78dfe05eb5f4224650ad606b75e1f7034 Mon Sep 17 00:00:00 2001
|
|
From: Even Rouault <even.rouault@spatialys.com>
|
|
Date: Sun, 11 Mar 2018 11:14:01 +0100
|
|
Subject: [PATCH] ChopUpSingleUncompressedStrip: avoid memory exhaustion
|
|
(CVE-2017-11613)
|
|
|
|
In ChopUpSingleUncompressedStrip(), if the computed number of strips is big
|
|
enough and we are in read only mode, validate that the file size is consistent
|
|
with that number of strips to avoid useless attempts at allocating a lot of
|
|
memory for the td_stripbytecount and td_stripoffset arrays.
|
|
|
|
Rework fix done in 3719385a3fac5cfb20b487619a5f08abbf967cf8 to work in more
|
|
cases like https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=6979.
|
|
Credit to OSS Fuzz
|
|
|
|
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2724
|
|
---
|
|
libtiff/tif_dirread.c | 10 ++++++++++
|
|
1 file changed, 10 insertions(+)
|
|
|
|
diff --git a/libtiff/tif_dirread.c b/libtiff/tif_dirread.c
|
|
index 80aaf8d..5896a78 100644
|
|
--- a/libtiff/tif_dirread.c
|
|
+++ b/libtiff/tif_dirread.c
|
|
@@ -5760,6 +5760,16 @@ ChopUpSingleUncompressedStrip(TIFF* tif)
|
|
if( nstrips == 0 )
|
|
return;
|
|
|
|
+ /* If we are going to allocate a lot of memory, make sure that the */
|
|
+ /* file is as big as needed */
|
|
+ if( tif->tif_mode == O_RDONLY &&
|
|
+ nstrips > 1000000 &&
|
|
+ (offset >= TIFFGetFileSize(tif) ||
|
|
+ stripbytes > (TIFFGetFileSize(tif) - offset) / (nstrips - 1)) )
|
|
+ {
|
|
+ return;
|
|
+ }
|
|
+
|
|
newcounts = (uint64*) _TIFFCheckMalloc(tif, nstrips, sizeof (uint64),
|
|
"for chopped \"StripByteCounts\" array");
|
|
newoffsets = (uint64*) _TIFFCheckMalloc(tif, nstrips, sizeof (uint64),
|
|
--
|
|
2.17.1
|
|
|