Lucio Andrés Illanes Albornoz daac7c
From 5c3bc1c78dfe05eb5f4224650ad606b75e1f7034 Mon Sep 17 00:00:00 2001
Lucio Andrés Illanes Albornoz daac7c
From: Even Rouault <even.rouault@spatialys.com>
Lucio Andrés Illanes Albornoz daac7c
Date: Sun, 11 Mar 2018 11:14:01 +0100
Lucio Andrés Illanes Albornoz daac7c
Subject: [PATCH] ChopUpSingleUncompressedStrip: avoid memory exhaustion
Lucio Andrés Illanes Albornoz daac7c
 (CVE-2017-11613)
Lucio Andrés Illanes Albornoz daac7c
Lucio Andrés Illanes Albornoz daac7c
In ChopUpSingleUncompressedStrip(), if the computed number of strips is big
Lucio Andrés Illanes Albornoz daac7c
enough and we are in read only mode, validate that the file size is consistent
Lucio Andrés Illanes Albornoz daac7c
with that number of strips to avoid useless attempts at allocating a lot of
Lucio Andrés Illanes Albornoz daac7c
memory for the td_stripbytecount and td_stripoffset arrays.
Lucio Andrés Illanes Albornoz daac7c
Lucio Andrés Illanes Albornoz daac7c
Rework fix done in 3719385a3fac5cfb20b487619a5f08abbf967cf8 to work in more
Lucio Andrés Illanes Albornoz daac7c
cases like https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=6979.
Lucio Andrés Illanes Albornoz daac7c
Credit to OSS Fuzz
Lucio Andrés Illanes Albornoz daac7c
Lucio Andrés Illanes Albornoz daac7c
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2724
Lucio Andrés Illanes Albornoz daac7c
---
Lucio Andrés Illanes Albornoz daac7c
 libtiff/tif_dirread.c | 10 ++++++++++
Lucio Andrés Illanes Albornoz daac7c
 1 file changed, 10 insertions(+)
Lucio Andrés Illanes Albornoz daac7c
Lucio Andrés Illanes Albornoz daac7c
diff --git a/libtiff/tif_dirread.c b/libtiff/tif_dirread.c
Lucio Andrés Illanes Albornoz daac7c
index 80aaf8d..5896a78 100644
Lucio Andrés Illanes Albornoz daac7c
--- a/libtiff/tif_dirread.c
Lucio Andrés Illanes Albornoz daac7c
+++ b/libtiff/tif_dirread.c
Lucio Andrés Illanes Albornoz daac7c
@@ -5760,6 +5760,16 @@ ChopUpSingleUncompressedStrip(TIFF* tif)
Lucio Andrés Illanes Albornoz daac7c
         if( nstrips == 0 )
Lucio Andrés Illanes Albornoz daac7c
             return;
Lucio Andrés Illanes Albornoz daac7c
 
Lucio Andrés Illanes Albornoz daac7c
+        /* If we are going to allocate a lot of memory, make sure that the */
Lucio Andrés Illanes Albornoz daac7c
+        /* file is as big as needed */
Lucio Andrés Illanes Albornoz daac7c
+        if( tif->tif_mode == O_RDONLY &&
Lucio Andrés Illanes Albornoz daac7c
+            nstrips > 1000000 &&
Lucio Andrés Illanes Albornoz daac7c
+            (offset >= TIFFGetFileSize(tif) ||
Lucio Andrés Illanes Albornoz daac7c
+             stripbytes > (TIFFGetFileSize(tif) - offset) / (nstrips - 1)) )
Lucio Andrés Illanes Albornoz daac7c
+        {
Lucio Andrés Illanes Albornoz daac7c
+            return;
Lucio Andrés Illanes Albornoz daac7c
+        }
Lucio Andrés Illanes Albornoz daac7c
+
Lucio Andrés Illanes Albornoz daac7c
 	newcounts = (uint64*) _TIFFCheckMalloc(tif, nstrips, sizeof (uint64),
Lucio Andrés Illanes Albornoz daac7c
 				"for chopped \"StripByteCounts\" array");
Lucio Andrés Illanes Albornoz daac7c
 	newoffsets = (uint64*) _TIFFCheckMalloc(tif, nstrips, sizeof (uint64),
Lucio Andrés Illanes Albornoz daac7c
-- 
Lucio Andrés Illanes Albornoz daac7c
2.17.1
Lucio Andrés Illanes Albornoz daac7c