From d012417def16fd9e79585a8a80c0cc606daf2689 Mon Sep 17 00:00:00 2001 From: erouault Date: Sat, 15 Jul 2017 13:23:09 +0000 Subject: * libtiff/tif_read.c: add protection against excessive memory allocation attempts in TIFFReadDirEntryArray() on short files. Effective for mmap'ed case. And non-mmap'ed case, but restricted to 64bit builds. Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2675 --- ChangeLog | 8 +++++ libtiff/tif_dirread.c | 91 +++++++++++++++++++++++++++++++++++++++++++++++---- 2 files changed, 93 insertions(+), 6 deletions(-) diff --git a/ChangeLog b/ChangeLog index 932ddee5..e8a2be5b 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,11 @@ +2017-07-15 Even Rouault + + * libtiff/tif_read.c: add protection against excessive memory + allocation attempts in TIFFReadDirEntryArray() on short files. + Effective for mmap'ed case. And non-mmap'ed case, but restricted + to 64bit builds. + Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2675 + 2017-07-15 Even Rouault * libtiff/tif_read.c: in TIFFFetchStripThing(), only grow the diff --git a/libtiff/tif_dirread.c b/libtiff/tif_dirread.c index fbd8353c..35bcb4b8 100644 --- a/libtiff/tif_dirread.c +++ b/libtiff/tif_dirread.c @@ -1,4 +1,4 @@ -/* $Id: tif_dirread.c,v 1.214 2017-07-15 13:19:56 erouault Exp $ */ +/* $Id: tif_dirread.c,v 1.215 2017-07-15 13:23:09 erouault Exp $ */ /* * Copyright (c) 1988-1997 Sam Leffler @@ -768,6 +768,66 @@ static enum TIFFReadDirEntryErr TIFFReadDirEntryIfd8(TIFF* tif, TIFFDirEntry* di } } + +#define INITIAL_THRESHOLD (1024 * 1024) +#define THRESHOLD_MULTIPLIER 10 +#define MAX_THRESHOLD (THRESHOLD_MULTIPLIER * THRESHOLD_MULTIPLIER * THRESHOLD_MULTIPLIER * INITIAL_THRESHOLD) + +static enum TIFFReadDirEntryErr TIFFReadDirEntryDataAndRealloc( + TIFF* tif, uint64 offset, tmsize_t size, void** pdest) +{ +#if SIZEOF_VOIDP == 8 || SIZEOF_SIZE_T == 8 + tmsize_t threshold = INITIAL_THRESHOLD; +#endif + tmsize_t already_read = 0; + + assert( !isMapped(tif) ); + + if (!SeekOK(tif,offset)) + return(TIFFReadDirEntryErrIo); + + /* On 64 bit processes, read first a maximum of 1 MB, then 10 MB, etc */ + /* so as to avoid allocating too much memory in case the file is too */ + /* short. We could ask for the file size, but this might be */ + /* expensive with some I/O layers (think of reading a gzipped file) */ + /* Restrict to 64 bit processes, so as to avoid reallocs() */ + /* on 32 bit processes where virtual memory is scarce. */ + while( already_read < size ) + { + void* new_dest; + tmsize_t bytes_read; + tmsize_t to_read = size - already_read; +#if SIZEOF_VOIDP == 8 || SIZEOF_SIZE_T == 8 + if( to_read >= threshold && threshold < MAX_THRESHOLD ) + { + to_read = threshold; + threshold *= THRESHOLD_MULTIPLIER; + } +#endif + + new_dest = (uint8*) _TIFFrealloc( + *pdest, already_read + to_read); + if( new_dest == NULL ) + { + TIFFErrorExt(tif->tif_clientdata, tif->tif_name, + "Failed to allocate memory for %s " + "(%ld elements of %ld bytes each)", + "TIFFReadDirEntryArray", + (long) 1, (long) already_read + to_read); + return TIFFReadDirEntryErrAlloc; + } + *pdest = new_dest; + + bytes_read = TIFFReadFile(tif, + (char*)*pdest + already_read, to_read); + already_read += bytes_read; + if (bytes_read != to_read) { + return TIFFReadDirEntryErrIo; + } + } + return TIFFReadDirEntryErrOk; +} + static enum TIFFReadDirEntryErr TIFFReadDirEntryArrayWithLimit( TIFF* tif, TIFFDirEntry* direntry, uint32* count, uint32 desttypesize, void** value, uint64 maxcount) @@ -801,9 +861,22 @@ static enum TIFFReadDirEntryErr TIFFReadDirEntryArrayWithLimit( *count=(uint32)target_count64; datasize=(*count)*typesize; assert((tmsize_t)datasize>0); - data=_TIFFCheckMalloc(tif, *count, typesize, "ReadDirEntryArray"); - if (data==0) - return(TIFFReadDirEntryErrAlloc); + + if( isMapped(tif) && datasize > tif->tif_size ) + return TIFFReadDirEntryErrIo; + + if( !isMapped(tif) && + (((tif->tif_flags&TIFF_BIGTIFF) && datasize > 8) || + (!(tif->tif_flags&TIFF_BIGTIFF) && datasize > 4)) ) + { + data = NULL; + } + else + { + data=_TIFFCheckMalloc(tif, *count, typesize, "ReadDirEntryArray"); + if (data==0) + return(TIFFReadDirEntryErrAlloc); + } if (!(tif->tif_flags&TIFF_BIGTIFF)) { if (datasize<=4) @@ -814,7 +887,10 @@ static enum TIFFReadDirEntryErr TIFFReadDirEntryArrayWithLimit( uint32 offset = direntry->tdir_offset.toff_long; if (tif->tif_flags&TIFF_SWAB) TIFFSwabLong(&offset); - err=TIFFReadDirEntryData(tif,(uint64)offset,(tmsize_t)datasize,data); + if( isMapped(tif) ) + err=TIFFReadDirEntryData(tif,(uint64)offset,(tmsize_t)datasize,data); + else + err=TIFFReadDirEntryDataAndRealloc(tif,(uint64)offset,(tmsize_t)datasize,&data); if (err!=TIFFReadDirEntryErrOk) { _TIFFfree(data); @@ -832,7 +908,10 @@ static enum TIFFReadDirEntryErr TIFFReadDirEntryArrayWithLimit( uint64 offset = direntry->tdir_offset.toff_long8; if (tif->tif_flags&TIFF_SWAB) TIFFSwabLong8(&offset); - err=TIFFReadDirEntryData(tif,offset,(tmsize_t)datasize,data); + if( isMapped(tif) ) + err=TIFFReadDirEntryData(tif,(uint64)offset,(tmsize_t)datasize,data); + else + err=TIFFReadDirEntryDataAndRealloc(tif,(uint64)offset,(tmsize_t)datasize,&data); if (err!=TIFFReadDirEntryErrOk) { _TIFFfree(data); -- cgit v1.2.1