cheng/libtiff
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

tif_dirread.c: allocChoppedUpStripArrays(). avoid unsigned integer overflow. Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=16846

Browse Source
This commit is contained in:
Even Rouault 2019-09-01 15:57:17 +02:00
parent c22f319eb4
commit 760ecced1e
No known key found for this signature in database
GPG Key ID: 33EBBFC47B3DD87D
1 changed files with 21 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

29
libtiff/tif_dirread.c
View File

@ -5745,10 +5745,22 @@ static void allocChoppedUpStripArrays(TIFF* tif, uint32 nstrips,
TIFFDirectory *td = &tif->tif_dir; TIFFDirectory *td = &tif->tif_dir;
uint64 bytecount; uint64 bytecount;
uint64 offset; uint64 offset;
uint64 last_offset;
uint64 last_bytecount;
uint32 i; uint32 i;
uint64 *newcounts; uint64 *newcounts;
uint64 *newoffsets; uint64 *newoffsets;
offset = TIFFGetStrileOffset(tif, 0);
last_offset = TIFFGetStrileOffset(tif, td->td_nstrips-1);
last_bytecount = TIFFGetStrileByteCount(tif, td->td_nstrips-1);
if( last_offset > TIFF_UINT64_MAX - last_bytecount ||
last_offset + last_bytecount < offset )
{
return;
}
bytecount = last_offset + last_bytecount - offset;
newcounts = (uint64*) _TIFFCheckMalloc(tif, nstrips, sizeof (uint64), newcounts = (uint64*) _TIFFCheckMalloc(tif, nstrips, sizeof (uint64),
"for chopped \"StripByteCounts\" array"); "for chopped \"StripByteCounts\" array");
newoffsets = (uint64*) _TIFFCheckMalloc(tif, nstrips, sizeof (uint64), newoffsets = (uint64*) _TIFFCheckMalloc(tif, nstrips, sizeof (uint64),
@ -5769,9 +5781,6 @@ static void allocChoppedUpStripArrays(TIFF* tif, uint32 nstrips,
* Fill the strip information arrays with new bytecounts and offsets * Fill the strip information arrays with new bytecounts and offsets
* that reflect the broken-up format. * that reflect the broken-up format.
*/ */
offset = TIFFGetStrileOffset(tif, 0);
bytecount = TIFFGetStrileOffset(tif, td->td_nstrips-1) +
TIFFGetStrileByteCount(tif, td->td_nstrips-1) - offset;
for (i = 0; i < nstrips; i++) for (i = 0; i < nstrips; i++)
{ {
if (stripbytes > bytecount) if (stripbytes > bytecount)
@ -5953,12 +5962,16 @@ static void TryChopUpUncompressedBigTiff( TIFF* tif )
/* If we are going to allocate a lot of memory, make sure that the */ /* If we are going to allocate a lot of memory, make sure that the */
/* file is as big as needed */ /* file is as big as needed */
if( tif->tif_mode == O_RDONLY && if( tif->tif_mode == O_RDONLY &&
nstrips > 1000000 && nstrips > 1000000 )
(TIFFGetStrileOffset(tif, td->td_nstrips-1) > TIFFGetFileSize(tif) ||
TIFFGetStrileOffset(tif, td->td_nstrips-1) +
TIFFGetStrileByteCount(tif, td->td_nstrips-1) > TIFFGetFileSize(tif)) )
{ {
return; uint64 last_offset = TIFFGetStrileOffset(tif, td->td_nstrips-1);
uint64 filesize = TIFFGetFileSize(tif);
uint64 last_bytecount = TIFFGetStrileByteCount(tif, td->td_nstrips-1);
if( last_offset > filesize ||
last_bytecount > filesize - last_offset )
{
return;
}
} }
allocChoppedUpStripArrays(tif, nstrips, stripbytes, rowsperstrip); allocChoppedUpStripArrays(tif, nstrips, stripbytes, rowsperstrip);