* libtiff/tif_read.c: in TIFFFetchStripThing(), only grow the

arrays that hold StripOffsets/StripByteCounts, when they are smaller than the expected number of striles, up to 1 million striles, and error out beyond. Can be tweaked by setting the environment variable LIBTIFF_STRILE_ARRAY_MAX_RESIZE_COUNT. This partially goes against a change added on 2002-12-17 to accept those arrays of wrong sizes, but is needed to avoid denial of services. Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2350 Credit to OSS Fuzz
2017-07-15 13:19:56 +00:00 · 2017-07-15 13:19:56 +00:00 · 02271af177
commit 02271af177
parent 5b7f711586
2 changed files with 30 additions and 1 deletions
--- a/12
+++ b/12
@ -1,3 +1,15 @@
+2017-07-15  Even Rouault <even.rouault at spatialys.com>
+
+	* libtiff/tif_read.c: in TIFFFetchStripThing(), only grow the
+	arrays that hold StripOffsets/StripByteCounts, when they are smaller
+	than the expected number of striles, up to 1 million striles, and
+	error out beyond. Can be tweaked by setting the environment variable
+	LIBTIFF_STRILE_ARRAY_MAX_RESIZE_COUNT.
+	This partially goes against a change added on 2002-12-17 to accept
+	those arrays of wrong sizes, but is needed to avoid denial of services.
+	Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2350
+	Credit to OSS Fuzz
+
 2017-07-15  Even Rouault <even.rouault at spatialys.com>

 	* libtiff/tif_read.c: TIFFFillStrip() / TIFFFillTile().
--- a/libtiff/tif_dirread.c
+++ b/libtiff/tif_dirread.c
@ -1,4 +1,4 @@
-/* $Id: tif_dirread.c,v 1.213 2017-06-27 13:44:44 erouault Exp $ */
+/* $Id: tif_dirread.c,v 1.214 2017-07-15 13:19:56 erouault Exp $ */

 /*
 * Copyright (c) 1988-1997 Sam Leffler
@ -41,6 +41,7 @@

 #include "tiffiop.h"
 #include <float.h>
+#include <stdlib.h>

 #define IGNORE 0          /* tag placeholder used below */
 #define FAILED_FII    ((uint32) -1)
@ -5470,6 +5471,22 @@ TIFFFetchStripThing(TIFF* tif, TIFFDirEntry* dir, uint32 nstrips, uint64** lpp)
 	if (dir->tdir_count<(uint64)nstrips)
 	{
 		uint64* resizeddata;
+		const TIFFField* fip = TIFFFieldWithTag(tif,dir->tdir_tag);
+		const char* pszMax = getenv("LIBTIFF_STRILE_ARRAY_MAX_RESIZE_COUNT");
+		uint32 max_nstrips = 1000000;
+		if( pszMax )
+			max_nstrips = (uint32) atoi(pszMax);
+		TIFFReadDirEntryOutputErr(tif,TIFFReadDirEntryErrCount,
+		            module,
+		            fip ? fip->field_name : "unknown tagname",
+		            ( nstrips <= max_nstrips ) );
+
+		if( nstrips > max_nstrips )
+		{
+			_TIFFfree(data);
+			return(0);
+		}
+
 		resizeddata=(uint64*)_TIFFCheckMalloc(tif,nstrips,sizeof(uint64),"for strip array");
 		if (resizeddata==0) {
 			_TIFFfree(data);