diff options
| author | erouault <erouault> | 2017-06-30 11:29:22 +0000 |
|---|---|---|
| committer | erouault <erouault> | 2017-06-30 11:29:22 +0000 |
| commit | 90f072631b9113644bd72ad416fe899419816f81 (patch) | |
| tree | bf4d806b70054c8a71ee555e3a687ea8339b3bf4 | |
| parent | cf096692e43eaf02c67098e91f1e68b505c172b8 (diff) | |
| download | libtiff-90f072631b9113644bd72ad416fe899419816f81.tar.gz | |
* libtiff/tif_read.c: TIFFFillTile(): add limitation to the number
of bytes read in case td_stripbytecount[strip] is bigger than
reasonable, so as to avoid excessive memory allocation (similarly to
what was done for TIFFFileStrip() on 2017-05-10)
| -rw-r--r-- | ChangeLog | 7 | ||||
| -rw-r--r-- | libtiff/tif_read.c | 35 |
2 files changed, 41 insertions, 1 deletions
@@ -1,3 +1,10 @@ +2017-06-30 Even Rouault <even.rouault at spatialys.com> + + * libtiff/tif_read.c: TIFFFillTile(): add limitation to the number + of bytes read in case td_stripbytecount[strip] is bigger than + reasonable, so as to avoid excessive memory allocation (similarly to + what was done for TIFFFileStrip() on 2017-05-10) + 2017-06-29 Even Rouault <even.rouault at spatialys.com> * libtiff/tiffiop.h, libtiff/tif_jpeg.c, libtiff/tif_jpeg_12.c, diff --git a/libtiff/tif_read.c b/libtiff/tif_read.c index 4f85fa93..b4fe333f 100644 --- a/libtiff/tif_read.c +++ b/libtiff/tif_read.c @@ -1,4 +1,4 @@ -/* $Id: tif_read.c,v 1.60 2017-06-29 07:37:12 erouault Exp $ */ +/* $Id: tif_read.c,v 1.61 2017-06-30 11:29:22 erouault Exp $ */ /* * Copyright (c) 1988-1997 Sam Leffler @@ -1100,6 +1100,39 @@ TIFFFillTile(TIFF* tif, uint32 tile) #endif return (0); } + + /* To avoid excessive memory allocations: */ + /* Byte count should normally not be larger than a number of */ + /* times the uncompressed size plus some margin */ + if( bytecount > 1024 * 1024 ) + { + /* 10 and 4096 are just values that could be adjusted. */ + /* Hopefully they are safe enough for all codecs */ + tmsize_t stripsize = TIFFTileSize(tif); + if( stripsize != 0 && + (bytecount - 4096) / 10 > (uint64)stripsize ) + { + uint64 newbytecount = (uint64)stripsize * 10 + 4096; + if( (int64)newbytecount >= 0 ) + { +#if defined(__WIN32__) && (defined(_MSC_VER) || defined(__MINGW32__)) + TIFFWarningExt(tif->tif_clientdata, module, + "Too large tile byte count %I64u, tile %lu. Limiting to %I64u", + (unsigned __int64) bytecount, + (unsigned long) tile, + (unsigned __int64) newbytecount); +#else + TIFFErrorExt(tif->tif_clientdata, module, + "Too large tile byte count %llu, tile %lu. Limiting to %llu", + (unsigned long long) bytecount, + (unsigned long) tile, + (unsigned long long) newbytecount); +#endif + bytecount = newbytecount; + } + } + } + if (isMapped(tif) && (isFillOrder(tif, td->td_fillorder) || (tif->tif_flags & TIFF_NOBITREV))) { |