From 02271af177390d7b04417eee322568f16bbabe3a Mon Sep 17 00:00:00 2001 From: Even Rouault Date: Sat, 15 Jul 2017 13:19:56 +0000 Subject: [PATCH] * libtiff/tif_read.c: in TIFFFetchStripThing(), only grow the arrays that hold StripOffsets/StripByteCounts, when they are smaller than the expected number of striles, up to 1 million striles, and error out beyond. Can be tweaked by setting the environment variable LIBTIFF_STRILE_ARRAY_MAX_RESIZE_COUNT. This partially goes against a change added on 2002-12-17 to accept those arrays of wrong sizes, but is needed to avoid denial of services. Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2350 Credit to OSS Fuzz --- ChangeLog | 12 ++++++++++++ libtiff/tif_dirread.c | 19 ++++++++++++++++++- 2 files changed, 30 insertions(+), 1 deletion(-) diff --git a/ChangeLog b/ChangeLog index b467ec8d..932ddee5 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,15 @@ +2017-07-15 Even Rouault + + * libtiff/tif_read.c: in TIFFFetchStripThing(), only grow the + arrays that hold StripOffsets/StripByteCounts, when they are smaller + than the expected number of striles, up to 1 million striles, and + error out beyond. Can be tweaked by setting the environment variable + LIBTIFF_STRILE_ARRAY_MAX_RESIZE_COUNT. + This partially goes against a change added on 2002-12-17 to accept + those arrays of wrong sizes, but is needed to avoid denial of services. + Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2350 + Credit to OSS Fuzz + 2017-07-15 Even Rouault * libtiff/tif_read.c: TIFFFillStrip() / TIFFFillTile(). diff --git a/libtiff/tif_dirread.c b/libtiff/tif_dirread.c index a3d0efd1..fbd8353c 100644 --- a/libtiff/tif_dirread.c +++ b/libtiff/tif_dirread.c @@ -1,4 +1,4 @@ -/* $Id: tif_dirread.c,v 1.213 2017-06-27 13:44:44 erouault Exp $ */ +/* $Id: tif_dirread.c,v 1.214 2017-07-15 13:19:56 erouault Exp $ */ /* * Copyright (c) 1988-1997 Sam Leffler @@ -41,6 +41,7 @@ #include "tiffiop.h" #include +#include #define IGNORE 0 /* tag placeholder used below */ #define FAILED_FII ((uint32) -1) @@ -5470,6 +5471,22 @@ TIFFFetchStripThing(TIFF* tif, TIFFDirEntry* dir, uint32 nstrips, uint64** lpp) if (dir->tdir_count<(uint64)nstrips) { uint64* resizeddata; + const TIFFField* fip = TIFFFieldWithTag(tif,dir->tdir_tag); + const char* pszMax = getenv("LIBTIFF_STRILE_ARRAY_MAX_RESIZE_COUNT"); + uint32 max_nstrips = 1000000; + if( pszMax ) + max_nstrips = (uint32) atoi(pszMax); + TIFFReadDirEntryOutputErr(tif,TIFFReadDirEntryErrCount, + module, + fip ? fip->field_name : "unknown tagname", + ( nstrips <= max_nstrips ) ); + + if( nstrips > max_nstrips ) + { + _TIFFfree(data); + return(0); + } + resizeddata=(uint64*)_TIFFCheckMalloc(tif,nstrips,sizeof(uint64),"for strip array"); if (resizeddata==0) { _TIFFfree(data);