diff options
author | Even Rouault <even.rouault@spatialys.com> | 2019-09-18 01:21:17 +0200 |
---|---|---|
committer | Even Rouault <even.rouault@spatialys.com> | 2019-09-18 01:21:17 +0200 |
commit | e86d43caeec81132df187fff3763e8a6ea591742 (patch) | |
tree | b1027abc8e7d4c2cd9e948784c98aca946c958db | |
parent | 3519ab6c7fd9c7b3692a7053d2dac5a8958a6ab2 (diff) | |
download | libtiff-git-e86d43caeec81132df187fff3763e8a6ea591742.tar.gz |
TIFFReadAndRealloc(): avoid too large memory allocation attempts. Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=17244
-rw-r--r-- | libtiff/tif_read.c | 16 |
1 files changed, 16 insertions, 0 deletions
diff --git a/libtiff/tif_read.c b/libtiff/tif_read.c index b9e5a932..2ccaec98 100644 --- a/libtiff/tif_read.c +++ b/libtiff/tif_read.c @@ -60,6 +60,22 @@ static int TIFFReadAndRealloc( TIFF* tif, tmsize_t size, #endif tmsize_t already_read = 0; + +#if SIZEOF_SIZE_T != 8 + /* On 32 bit processes, if the request is large enough, check against */ + /* file size */ + if( size > 1000 * 1000 * 1000 ) + { + uint64 filesize = TIFFGetFileSize(tif); + if( (uint64)size >= filesize ) + { + TIFFErrorExt(tif->tif_clientdata, module, + "Chunk size requested is larger than file size."); + return 0; + } + } +#endif + /* On 64 bit processes, read first a maximum of 1 MB, then 10 MB, etc */ /* so as to avoid allocating too much memory in case the file is too */ /* short. We could ask for the file size, but this might be */ |