diff options
author | Even Rouault <even.rouault@spatialys.com> | 2017-07-15 13:19:56 +0000 |
---|---|---|
committer | Even Rouault <even.rouault@spatialys.com> | 2017-07-15 13:19:56 +0000 |
commit | 02271af177390d7b04417eee322568f16bbabe3a (patch) | |
tree | aba179175a785d69b70e34dac371bb7e4e11bc21 /libtiff/tif_dirread.c | |
parent | 5b7f711586f1fc7541abba85dfe2c6e90602f8ae (diff) | |
download | libtiff-git-02271af177390d7b04417eee322568f16bbabe3a.tar.gz |
* libtiff/tif_read.c: in TIFFFetchStripThing(), only grow the
arrays that hold StripOffsets/StripByteCounts, when they are smaller
than the expected number of striles, up to 1 million striles, and
error out beyond. Can be tweaked by setting the environment variable
LIBTIFF_STRILE_ARRAY_MAX_RESIZE_COUNT.
This partially goes against a change added on 2002-12-17 to accept
those arrays of wrong sizes, but is needed to avoid denial of services.
Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2350
Credit to OSS Fuzz
Diffstat (limited to 'libtiff/tif_dirread.c')
-rw-r--r-- | libtiff/tif_dirread.c | 19 |
1 files changed, 18 insertions, 1 deletions
diff --git a/libtiff/tif_dirread.c b/libtiff/tif_dirread.c index a3d0efd1..fbd8353c 100644 --- a/libtiff/tif_dirread.c +++ b/libtiff/tif_dirread.c @@ -1,4 +1,4 @@ -/* $Id: tif_dirread.c,v 1.213 2017-06-27 13:44:44 erouault Exp $ */ +/* $Id: tif_dirread.c,v 1.214 2017-07-15 13:19:56 erouault Exp $ */ /* * Copyright (c) 1988-1997 Sam Leffler @@ -41,6 +41,7 @@ #include "tiffiop.h" #include <float.h> +#include <stdlib.h> #define IGNORE 0 /* tag placeholder used below */ #define FAILED_FII ((uint32) -1) @@ -5470,6 +5471,22 @@ TIFFFetchStripThing(TIFF* tif, TIFFDirEntry* dir, uint32 nstrips, uint64** lpp) if (dir->tdir_count<(uint64)nstrips) { uint64* resizeddata; + const TIFFField* fip = TIFFFieldWithTag(tif,dir->tdir_tag); + const char* pszMax = getenv("LIBTIFF_STRILE_ARRAY_MAX_RESIZE_COUNT"); + uint32 max_nstrips = 1000000; + if( pszMax ) + max_nstrips = (uint32) atoi(pszMax); + TIFFReadDirEntryOutputErr(tif,TIFFReadDirEntryErrCount, + module, + fip ? fip->field_name : "unknown tagname", + ( nstrips <= max_nstrips ) ); + + if( nstrips > max_nstrips ) + { + _TIFFfree(data); + return(0); + } + resizeddata=(uint64*)_TIFFCheckMalloc(tif,nstrips,sizeof(uint64),"for strip array"); if (resizeddata==0) { _TIFFfree(data); |