ChopUpSingleUncompressedStrip: avoid memory exhaustion (CVE-2017-11613)

Rework fix done in 3719385a3f to work in more cases like https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=6979. Credit to OSS Fuzz Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2724
2018-03-17 09:36:29 +01:00 · 2018-03-17 09:36:29 +01:00 · 7a092f8af2
commit 7a092f8af2
parent a621460666
1 changed files with 2 additions and 3 deletions
--- a/libtiff/tif_dirread.c
+++ b/libtiff/tif_dirread.c
@ -5700,9 +5700,8 @@ ChopUpSingleUncompressedStrip(TIFF* tif)
        /* file is as big as needed */
        if( tif->tif_mode == O_RDONLY &&
            nstrips > 1000000 &&
-            (tif->tif_dir.td_stripoffset[0] >= TIFFGetFileSize(tif) ||
+            (offset >= TIFFGetFileSize(tif) ||
-             tif->tif_dir.td_stripbytecount[0] >
+             stripbytes > (TIFFGetFileSize(tif) - offset) / (nstrips - 1)) )
                    TIFFGetFileSize(tif) - tif->tif_dir.td_stripoffset[0]) )
        {
            return;
        }