* libtiff/tif_read.c: in TIFFFetchStripThing(), only grow the

arrays that hold StripOffsets/StripByteCounts, when they are smaller than the expected number of striles, up to 1 million striles, and error out beyond. Can be tweaked by setting the environment variable LIBTIFF_STRILE_ARRAY_MAX_RESIZE_COUNT. This partially goes against a change added on 2002-12-17 to accept those arrays of wrong sizes, but is needed to avoid denial of services. Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2350 Credit to OSS Fuzz
author: erouault <erouault> 2017-07-15 13:19:56 +0000
committer: erouault <erouault> 2017-07-15 13:19:56 +0000
commit: 95e4ddb5893a2f2eaa5a27f3c49ed15a1602e2cb (patch)
tree: a492f0277479e2f9c947759f242f163b478a3397
parent: 4b8e4e2c4e007e26d5fd3f7e2bbf7ed71bca53bf (diff)
download: libtiff-95e4ddb5893a2f2eaa5a27f3c49ed15a1602e2cb.tar.gz
2 files changed, 30 insertions, 1 deletions
diff --git a/ChangeLog b/ChangeLog
index b467ec8d..932ddee5 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,5 +1,17 @@
 2017-07-15  Even Rouault <even.rouault at spatialys.com>
 
+	* libtiff/tif_read.c: in TIFFFetchStripThing(), only grow the
+	arrays that hold StripOffsets/StripByteCounts, when they are smaller
+	than the expected number of striles, up to 1 million striles, and
+	error out beyond. Can be tweaked by setting the environment variable
+	LIBTIFF_STRILE_ARRAY_MAX_RESIZE_COUNT.
+	This partially goes against a change added on 2002-12-17 to accept
+	those arrays of wrong sizes, but is needed to avoid denial of services.
+	Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2350
+	Credit to OSS Fuzz
+
+2017-07-15  Even Rouault <even.rouault at spatialys.com>
+
 	* libtiff/tif_read.c: TIFFFillStrip() / TIFFFillTile().
 	Complementary fix for http://bugzilla.maptools.org/show_bug.cgi?id=2708
 	in the isMapped() case, so as to avoid excessive memory allocation
diff --git a/libtiff/tif_dirread.c b/libtiff/tif_dirread.c
index a3d0efd1..fbd8353c 100644
--- a/libtiff/tif_dirread.c
+++ b/libtiff/tif_dirread.c
@@ -1,4 +1,4 @@
-/* $Id: tif_dirread.c,v 1.213 2017-06-27 13:44:44 erouault Exp $ */
+/* $Id: tif_dirread.c,v 1.214 2017-07-15 13:19:56 erouault Exp $ */
 
 /*
  * Copyright (c) 1988-1997 Sam Leffler
@@ -41,6 +41,7 @@
 
 #include "tiffiop.h"
 #include <float.h>
+#include <stdlib.h>
 
 #define IGNORE 0          /* tag placeholder used below */
 #define FAILED_FII    ((uint32) -1)
@@ -5470,6 +5471,22 @@ TIFFFetchStripThing(TIFF* tif, TIFFDirEntry* dir, uint32 nstrips, uint64** lpp)
 	if (dir->tdir_count<(uint64)nstrips)
 	{
 		uint64* resizeddata;
+		const TIFFField* fip = TIFFFieldWithTag(tif,dir->tdir_tag);
+		const char* pszMax = getenv("LIBTIFF_STRILE_ARRAY_MAX_RESIZE_COUNT");
+		uint32 max_nstrips = 1000000;
+		if( pszMax )
+			max_nstrips = (uint32) atoi(pszMax);
+		TIFFReadDirEntryOutputErr(tif,TIFFReadDirEntryErrCount,
+		            module,
+		            fip ? fip->field_name : "unknown tagname",
+		            ( nstrips <= max_nstrips ) );
+
+		if( nstrips > max_nstrips )
+		{
+			_TIFFfree(data);
+			return(0);
+		}
+
 		resizeddata=(uint64*)_TIFFCheckMalloc(tif,nstrips,sizeof(uint64),"for strip array");
 		if (resizeddata==0) {
 			_TIFFfree(data);
author	erouault <erouault>	2017-07-15 13:19:56 +0000
committer	erouault <erouault>	2017-07-15 13:19:56 +0000
commit	95e4ddb5893a2f2eaa5a27f3c49ed15a1602e2cb (patch)
tree	a492f0277479e2f9c947759f242f163b478a3397
parent	4b8e4e2c4e007e26d5fd3f7e2bbf7ed71bca53bf (diff)
download	libtiff-95e4ddb5893a2f2eaa5a27f3c49ed15a1602e2cb.tar.gz