TIFFReadAndRealloc(): avoid too large memory allocation attempts. Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=17244

author: Even Rouault <even.rouault@spatialys.com> 2019-09-18 01:21:17 +0200
committer: Even Rouault <even.rouault@spatialys.com> 2019-09-18 01:21:17 +0200
commit: e86d43caeec81132df187fff3763e8a6ea591742 (patch)
tree: b1027abc8e7d4c2cd9e948784c98aca946c958db
parent: 3519ab6c7fd9c7b3692a7053d2dac5a8958a6ab2 (diff)
download: libtiff-git-e86d43caeec81132df187fff3763e8a6ea591742.tar.gz
1 files changed, 16 insertions, 0 deletions
diff --git a/libtiff/tif_read.c b/libtiff/tif_read.c
index b9e5a932..2ccaec98 100644
--- a/libtiff/tif_read.c
+++ b/libtiff/tif_read.c
@@ -60,6 +60,22 @@ static int TIFFReadAndRealloc( TIFF* tif, tmsize_t size,
 #endif
         tmsize_t already_read = 0;
 
+
+#if SIZEOF_SIZE_T != 8
+        /* On 32 bit processes, if the request is large enough, check against */
+        /* file size */
+        if( size > 1000 * 1000 * 1000 )
+        {
+            uint64 filesize = TIFFGetFileSize(tif);
+            if( (uint64)size >= filesize )
+            {
+                TIFFErrorExt(tif->tif_clientdata, module,
+                             "Chunk size requested is larger than file size.");
+                return 0;
+            }
+        }
+#endif
+
         /* On 64 bit processes, read first a maximum of 1 MB, then 10 MB, etc */
         /* so as to avoid allocating too much memory in case the file is too */
         /* short. We could ask for the file size, but this might be */
author	Even Rouault <even.rouault@spatialys.com>	2019-09-18 01:21:17 +0200
committer	Even Rouault <even.rouault@spatialys.com>	2019-09-18 01:21:17 +0200
commit	e86d43caeec81132df187fff3763e8a6ea591742 (patch)
tree	b1027abc8e7d4c2cd9e948784c98aca946c958db
parent	3519ab6c7fd9c7b3692a7053d2dac5a8958a6ab2 (diff)
download	libtiff-git-e86d43caeec81132df187fff3763e8a6ea591742.tar.gz