diff options
| author | Even Rouault <even.rouault@spatialys.com> | 2019-09-01 15:57:17 +0200 |
|---|---|---|
| committer | Even Rouault <even.rouault@spatialys.com> | 2019-09-01 15:57:17 +0200 |
| commit | 760ecced1ea9b01fb2893af15ed1e31f3d64b259 (patch) | |
| tree | 266cc0e5c738fe12a29e6d3c99fdacecc6182df4 | |
| parent | c22f319eb4da5d75a5fcda41cf24983f7355d9c6 (diff) | |
| download | libtiff-git-760ecced1ea9b01fb2893af15ed1e31f3d64b259.tar.gz | |
tif_dirread.c: allocChoppedUpStripArrays(). avoid unsigned integer overflow. Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=16846
| -rw-r--r-- | libtiff/tif_dirread.c | 29 |
1 files changed, 21 insertions, 8 deletions
diff --git a/libtiff/tif_dirread.c b/libtiff/tif_dirread.c index c5584fe6..94af0c96 100644 --- a/libtiff/tif_dirread.c +++ b/libtiff/tif_dirread.c @@ -5745,10 +5745,22 @@ static void allocChoppedUpStripArrays(TIFF* tif, uint32 nstrips, TIFFDirectory *td = &tif->tif_dir; uint64 bytecount; uint64 offset; + uint64 last_offset; + uint64 last_bytecount; uint32 i; uint64 *newcounts; uint64 *newoffsets; + offset = TIFFGetStrileOffset(tif, 0); + last_offset = TIFFGetStrileOffset(tif, td->td_nstrips-1); + last_bytecount = TIFFGetStrileByteCount(tif, td->td_nstrips-1); + if( last_offset > TIFF_UINT64_MAX - last_bytecount || + last_offset + last_bytecount < offset ) + { + return; + } + bytecount = last_offset + last_bytecount - offset; + newcounts = (uint64*) _TIFFCheckMalloc(tif, nstrips, sizeof (uint64), "for chopped \"StripByteCounts\" array"); newoffsets = (uint64*) _TIFFCheckMalloc(tif, nstrips, sizeof (uint64), @@ -5769,9 +5781,6 @@ static void allocChoppedUpStripArrays(TIFF* tif, uint32 nstrips, * Fill the strip information arrays with new bytecounts and offsets * that reflect the broken-up format. */ - offset = TIFFGetStrileOffset(tif, 0); - bytecount = TIFFGetStrileOffset(tif, td->td_nstrips-1) + - TIFFGetStrileByteCount(tif, td->td_nstrips-1) - offset; for (i = 0; i < nstrips; i++) { if (stripbytes > bytecount) @@ -5953,12 +5962,16 @@ static void TryChopUpUncompressedBigTiff( TIFF* tif ) /* If we are going to allocate a lot of memory, make sure that the */ /* file is as big as needed */ if( tif->tif_mode == O_RDONLY && - nstrips > 1000000 && - (TIFFGetStrileOffset(tif, td->td_nstrips-1) > TIFFGetFileSize(tif) || - TIFFGetStrileOffset(tif, td->td_nstrips-1) + - TIFFGetStrileByteCount(tif, td->td_nstrips-1) > TIFFGetFileSize(tif)) ) + nstrips > 1000000 ) { - return; + uint64 last_offset = TIFFGetStrileOffset(tif, td->td_nstrips-1); + uint64 filesize = TIFFGetFileSize(tif); + uint64 last_bytecount = TIFFGetStrileByteCount(tif, td->td_nstrips-1); + if( last_offset > filesize || + last_bytecount > filesize - last_offset ) + { + return; + } } allocChoppedUpStripArrays(tif, nstrips, stripbytes, rowsperstrip); |