diff options
author | erouault <erouault> | 2017-07-15 13:19:56 +0000 |
---|---|---|
committer | erouault <erouault> | 2017-07-15 13:19:56 +0000 |
commit | 95e4ddb5893a2f2eaa5a27f3c49ed15a1602e2cb (patch) | |
tree | a492f0277479e2f9c947759f242f163b478a3397 | |
parent | 4b8e4e2c4e007e26d5fd3f7e2bbf7ed71bca53bf (diff) | |
download | libtiff-95e4ddb5893a2f2eaa5a27f3c49ed15a1602e2cb.tar.gz |
* libtiff/tif_read.c: in TIFFFetchStripThing(), only grow the
arrays that hold StripOffsets/StripByteCounts, when they are smaller
than the expected number of striles, up to 1 million striles, and
error out beyond. Can be tweaked by setting the environment variable
LIBTIFF_STRILE_ARRAY_MAX_RESIZE_COUNT.
This partially goes against a change added on 2002-12-17 to accept
those arrays of wrong sizes, but is needed to avoid denial of services.
Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2350
Credit to OSS Fuzz
-rw-r--r-- | ChangeLog | 12 | ||||
-rw-r--r-- | libtiff/tif_dirread.c | 19 |
2 files changed, 30 insertions, 1 deletions
@@ -1,5 +1,17 @@ 2017-07-15 Even Rouault <even.rouault at spatialys.com> + * libtiff/tif_read.c: in TIFFFetchStripThing(), only grow the + arrays that hold StripOffsets/StripByteCounts, when they are smaller + than the expected number of striles, up to 1 million striles, and + error out beyond. Can be tweaked by setting the environment variable + LIBTIFF_STRILE_ARRAY_MAX_RESIZE_COUNT. + This partially goes against a change added on 2002-12-17 to accept + those arrays of wrong sizes, but is needed to avoid denial of services. + Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2350 + Credit to OSS Fuzz + +2017-07-15 Even Rouault <even.rouault at spatialys.com> + * libtiff/tif_read.c: TIFFFillStrip() / TIFFFillTile(). Complementary fix for http://bugzilla.maptools.org/show_bug.cgi?id=2708 in the isMapped() case, so as to avoid excessive memory allocation diff --git a/libtiff/tif_dirread.c b/libtiff/tif_dirread.c index a3d0efd1..fbd8353c 100644 --- a/libtiff/tif_dirread.c +++ b/libtiff/tif_dirread.c @@ -1,4 +1,4 @@ -/* $Id: tif_dirread.c,v 1.213 2017-06-27 13:44:44 erouault Exp $ */ +/* $Id: tif_dirread.c,v 1.214 2017-07-15 13:19:56 erouault Exp $ */ /* * Copyright (c) 1988-1997 Sam Leffler @@ -41,6 +41,7 @@ #include "tiffiop.h" #include <float.h> +#include <stdlib.h> #define IGNORE 0 /* tag placeholder used below */ #define FAILED_FII ((uint32) -1) @@ -5470,6 +5471,22 @@ TIFFFetchStripThing(TIFF* tif, TIFFDirEntry* dir, uint32 nstrips, uint64** lpp) if (dir->tdir_count<(uint64)nstrips) { uint64* resizeddata; + const TIFFField* fip = TIFFFieldWithTag(tif,dir->tdir_tag); + const char* pszMax = getenv("LIBTIFF_STRILE_ARRAY_MAX_RESIZE_COUNT"); + uint32 max_nstrips = 1000000; + if( pszMax ) + max_nstrips = (uint32) atoi(pszMax); + TIFFReadDirEntryOutputErr(tif,TIFFReadDirEntryErrCount, + module, + fip ? fip->field_name : "unknown tagname", + ( nstrips <= max_nstrips ) ); + + if( nstrips > max_nstrips ) + { + _TIFFfree(data); + return(0); + } + resizeddata=(uint64*)_TIFFCheckMalloc(tif,nstrips,sizeof(uint64),"for strip array"); if (resizeddata==0) { _TIFFfree(data); |