| From 5c3bc1c78dfe05eb5f4224650ad606b75e1f7034 Mon Sep 17 00:00:00 2001 |
| From: Even Rouault <even.rouault@spatialys.com> |
| Date: Sun, 11 Mar 2018 11:14:01 +0100 |
| Subject: [PATCH] ChopUpSingleUncompressedStrip: avoid memory exhaustion |
| (CVE-2017-11613) |
| |
| In ChopUpSingleUncompressedStrip(), if the computed number of strips is big |
| enough and we are in read only mode, validate that the file size is consistent |
| with that number of strips to avoid useless attempts at allocating a lot of |
| memory for the td_stripbytecount and td_stripoffset arrays. |
| |
| Rework fix done in 3719385a3fac5cfb20b487619a5f08abbf967cf8 to work in more |
| cases like https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=6979. |
| Credit to OSS Fuzz |
| |
| Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2724 |
| |
| libtiff/tif_dirread.c | 10 ++++++++++ |
| 1 file changed, 10 insertions(+) |
| |
| diff --git a/libtiff/tif_dirread.c b/libtiff/tif_dirread.c |
| index 80aaf8d..5896a78 100644 |
| |
| |
| @@ -5760,6 +5760,16 @@ ChopUpSingleUncompressedStrip(TIFF* tif) |
| if( nstrips == 0 ) |
| return; |
| |
| + /* If we are going to allocate a lot of memory, make sure that the */ |
| + /* file is as big as needed */ |
| + if( tif->tif_mode == O_RDONLY && |
| + nstrips > 1000000 && |
| + (offset >= TIFFGetFileSize(tif) || |
| + stripbytes > (TIFFGetFileSize(tif) - offset) / (nstrips - 1)) ) |
| + { |
| + return; |
| + } |
| + |
| newcounts = (uint64*) _TIFFCheckMalloc(tif, nstrips, sizeof (uint64), |
| "for chopped \"StripByteCounts\" array"); |
| newoffsets = (uint64*) _TIFFCheckMalloc(tif, nstrips, sizeof (uint64), |
| -- |
| 2.17.1 |
| |