From 90f072631b9113644bd72ad416fe899419816f81 Mon Sep 17 00:00:00 2001 From: erouault Date: Fri, 30 Jun 2017 11:29:22 +0000 Subject: * libtiff/tif_read.c: TIFFFillTile(): add limitation to the number of bytes read in case td_stripbytecount[strip] is bigger than reasonable, so as to avoid excessive memory allocation (similarly to what was done for TIFFFileStrip() on 2017-05-10) --- ChangeLog | 7 +++++++ libtiff/tif_read.c | 35 ++++++++++++++++++++++++++++++++++- 2 files changed, 41 insertions(+), 1 deletion(-) diff --git a/ChangeLog b/ChangeLog index c4ef9a7c..c969f9e2 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,10 @@ +2017-06-30 Even Rouault + + * libtiff/tif_read.c: TIFFFillTile(): add limitation to the number + of bytes read in case td_stripbytecount[strip] is bigger than + reasonable, so as to avoid excessive memory allocation (similarly to + what was done for TIFFFileStrip() on 2017-05-10) + 2017-06-29 Even Rouault * libtiff/tiffiop.h, libtiff/tif_jpeg.c, libtiff/tif_jpeg_12.c, diff --git a/libtiff/tif_read.c b/libtiff/tif_read.c index 4f85fa93..b4fe333f 100644 --- a/libtiff/tif_read.c +++ b/libtiff/tif_read.c @@ -1,4 +1,4 @@ -/* $Id: tif_read.c,v 1.60 2017-06-29 07:37:12 erouault Exp $ */ +/* $Id: tif_read.c,v 1.61 2017-06-30 11:29:22 erouault Exp $ */ /* * Copyright (c) 1988-1997 Sam Leffler @@ -1100,6 +1100,39 @@ TIFFFillTile(TIFF* tif, uint32 tile) #endif return (0); } + + /* To avoid excessive memory allocations: */ + /* Byte count should normally not be larger than a number of */ + /* times the uncompressed size plus some margin */ + if( bytecount > 1024 * 1024 ) + { + /* 10 and 4096 are just values that could be adjusted. */ + /* Hopefully they are safe enough for all codecs */ + tmsize_t stripsize = TIFFTileSize(tif); + if( stripsize != 0 && + (bytecount - 4096) / 10 > (uint64)stripsize ) + { + uint64 newbytecount = (uint64)stripsize * 10 + 4096; + if( (int64)newbytecount >= 0 ) + { +#if defined(__WIN32__) && (defined(_MSC_VER) || defined(__MINGW32__)) + TIFFWarningExt(tif->tif_clientdata, module, + "Too large tile byte count %I64u, tile %lu. Limiting to %I64u", + (unsigned __int64) bytecount, + (unsigned long) tile, + (unsigned __int64) newbytecount); +#else + TIFFErrorExt(tif->tif_clientdata, module, + "Too large tile byte count %llu, tile %lu. Limiting to %llu", + (unsigned long long) bytecount, + (unsigned long) tile, + (unsigned long long) newbytecount); +#endif + bytecount = newbytecount; + } + } + } + if (isMapped(tif) && (isFillOrder(tif, td->td_fillorder) || (tif->tif_flags & TIFF_NOBITREV))) { -- cgit v1.2.1