diff options
author | erouault <erouault> | 2017-05-10 13:37:19 +0000 |
---|---|---|
committer | erouault <erouault> | 2017-05-10 13:37:19 +0000 |
commit | 7dd1b157ceeb1a425891579dece7b2ff7de16aff (patch) | |
tree | 3b166087757305a6ff70a71b80a292cccc1b446b | |
parent | af18bcee9d6f6648a583a543f7e496cf02cacfa8 (diff) | |
download | libtiff-7dd1b157ceeb1a425891579dece7b2ff7de16aff.tar.gz |
* libtiff/tif_read.c: TIFFFillStrip(): add limitation to the number
of bytes read in case td_stripbytecount[strip] is bigger than
reasonable, so as to avoid excessive memory allocation.
-rw-r--r-- | ChangeLog | 6 | ||||
-rw-r--r-- | libtiff/tif_read.c | 35 |
2 files changed, 40 insertions, 1 deletions
@@ -1,3 +1,9 @@ +2017-05-10 Even Rouault <even.rouault at spatialys.com> + + * libtiff/tif_read.c: TIFFFillStrip(): add limitation to the number + of bytes read in case td_stripbytecount[strip] is bigger than + reasonable, so as to avoid excessive memory allocation. + 2017-04-28 Even Rouault <even.rouault at spatialys.com> * tools/tiff2bw.c: close TIFF handle in error code path. diff --git a/libtiff/tif_read.c b/libtiff/tif_read.c index 6a8c7daf..763fb97a 100644 --- a/libtiff/tif_read.c +++ b/libtiff/tif_read.c @@ -1,4 +1,4 @@ -/* $Id: tif_read.c,v 1.53 2017-01-11 19:02:49 erouault Exp $ */ +/* $Id: tif_read.c,v 1.54 2017-05-10 13:37:19 erouault Exp $ */ /* * Copyright (c) 1988-1997 Sam Leffler @@ -544,6 +544,39 @@ TIFFFillStrip(TIFF* tif, uint32 strip) #endif return (0); } + + /* To avoid excessive memory allocations: */ + /* Byte count should normally not be larger than a number of */ + /* times the uncompressed size plus some margin */ + if( bytecount > 1024 * 1024 ) + { + /* 10 and 4096 are just values that could be adjusted. */ + /* Hopefully they are safe enough for all codecs */ + tmsize_t stripsize = TIFFStripSize(tif); + if( stripsize != 0 && + (bytecount - 4096) / 10 > (uint64)stripsize ) + { + uint64 newbytecount = (uint64)stripsize * 10 + 4096; + if( (int64)newbytecount >= 0 ) + { +#if defined(__WIN32__) && (defined(_MSC_VER) || defined(__MINGW32__)) + TIFFWarningExt(tif->tif_clientdata, module, + "Too large strip byte count %I64u, strip %lu. Limiting to %I64u", + (unsigned __int64) bytecount, + (unsigned long) strip, + (unsigned __int64) newbytecount); +#else + TIFFErrorExt(tif->tif_clientdata, module, + "Too large strip byte count %llu, strip %lu. Limiting to %llu", + (unsigned long long) bytecount, + (unsigned long) strip, + (unsigned long long) newbytecount); +#endif + bytecount = newbytecount; + } + } + } + if (isMapped(tif) && (isFillOrder(tif, td->td_fillorder) || (tif->tif_flags & TIFF_NOBITREV))) { |