TIFFSetupStrips: enforce 2GB limitation of Strip/Tile Offsets/ByteCounts arrays

TIFFWriteDirectoryTagData() has an assertion that checks that the arrays are not larger than 2GB. So error out earlier if in that situation.
author: Even Rouault <even.rouault@spatialys.com> 2020-02-01 18:11:08 +0100
committer: Even Rouault <even.rouault@spatialys.com> 2020-02-01 18:11:11 +0100
commit: 37a02ad493586bfd21a6fb15c5d8deeaaaffc41b (patch)
tree: 4884ad12ade199a50ed0f78caeeeea9c41b67bb9
parent: 7a335a32ebbce103d429c82a8d60d25ead1ccf0e (diff)
download: libtiff-git-37a02ad493586bfd21a6fb15c5d8deeaaaffc41b.tar.gz
1 files changed, 7 insertions, 0 deletions
diff --git a/libtiff/tif_write.c b/libtiff/tif_write.c
index 33e803c1..f79330e9 100644
--- a/libtiff/tif_write.c
+++ b/libtiff/tif_write.c
@@ -533,6 +533,13 @@ TIFFSetupStrips(TIFF* tif)
 		    isUnspecified(tif, FIELD_ROWSPERSTRIP) ?
 			td->td_samplesperpixel : TIFFNumberOfStrips(tif);
 	td->td_nstrips = td->td_stripsperimage;
+        /* TIFFWriteDirectoryTagData has a limitation to 0x80000000U bytes */
+        if( td->td_nstrips >= 0x80000000U / ((tif->tif_flags&TIFF_BIGTIFF)?0x8U:0x4U) )
+        {
+            TIFFErrorExt(tif->tif_clientdata, "TIFFSetupStrips",
+                         "Too large Strip/Tile Offsets/ByteCounts arrays");
+            return 0;
+        }
 	if (td->td_planarconfig == PLANARCONFIG_SEPARATE)
 		td->td_stripsperimage /= td->td_samplesperpixel;
 	td->td_stripoffset_p = (uint64 *)
author	Even Rouault <even.rouault@spatialys.com>	2020-02-01 18:11:08 +0100
committer	Even Rouault <even.rouault@spatialys.com>	2020-02-01 18:11:11 +0100
commit	37a02ad493586bfd21a6fb15c5d8deeaaaffc41b (patch)
tree	4884ad12ade199a50ed0f78caeeeea9c41b67bb9
parent	7a335a32ebbce103d429c82a8d60d25ead1ccf0e (diff)
download	libtiff-git-37a02ad493586bfd21a6fb15c5d8deeaaaffc41b.tar.gz